“Forgot Password” - How to handle this?
-
22-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I read this answer and found a comment insisting not to send password by email:
passwords should not be able to be retrieved by email, I hate that. It means my password is stored in plain text somewhere. it should be reset only.
This raises me the question of handling Forgot Password option?
At any cost the raw password must be displayed in any UI so that user will be able to read it. So what would be the way to handle "Forgot Password"
Solução
A good application design will not be able to explicitly recover a users password. This is because it is usually stored after it is run through some sort of hash which is a one way operation.
The best way to handle lost password is to perform a reset, email to the users account a link with a generated parameter tacked on that identifies this as a valid password reset for the account in question. At this point they can set a new password.
This does assume you have a users email address on file.
Outras dicas
You should not store the users main password as plaintext, but you CAN store a temporary password as plaintext, i.e
user resets password -> temp password is created -> temp password is sent via email -> user is forced to change password at next log in (new password can't be temp password maybe)
The comment is against sending the original password in email, not sending anything in email. If the institution can send the original password, that means they have it, and that's a security problem. The commenter was not arguing against sending a password through email, because that's pretty much necessary in most cases.
The proper way is to assign a new password that's usable once, for whatever reason. Perhaps it's already marked expired by the system, perhaps it just logs into a page to change the password that's dynamically generated once and only once, whatever.
The thing I like the best is for the application to send an email to the user on the registered email-address with a one-time link valid for X hours which provides a "Change password" page.
The user can then set the password as s/he likes without risking having it put in an email.
My credit card provider has a "forgotten password" option that asks you some security questions ( this is not immensely secure in itself but lots of banks do it ) and then generates a new code and gives you half on screen and emails the second half to you. That way you can't break the account without access to both the web page and the email address.
I have asked a little about this from a usability perspective a while back.
