If someone has access to the link, they most likely have access to the user's email account to which the email with the link was sent and can request (and read) a new password reset link email at will.
Related
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
In Visual Studio 2017, if you create a new ASP.NET Core Web Application (Razor Pages) configured to use Individual user accounts and Store user accounts in- app, the "Forgot password" flow is as follows.
User goes to login page
User click "Forgot your password?"
User enter email address and click "Submit"
An email is sent to the user with a link to reset password. This link contains the user id (Guid), and a code used for reset.
User click link and is taken to the "Reset password" page.
User enter Email, Password and Confirm password and click Reset.
Password is then reset.
My question is if there is some specific reason the user is requested to enter his email in step 6, considering that the user id is already in the URL. The reset password page could look up the user by the id and not ask for the email address.
I assume it's a security-feature, in case someone intercepts the link. But intercepting the link would likely mean intercepting the email containing the link, and then the users email would be known anyway. So I feel like I am missing something.
Sounds like a security issue to me.
Even though you could look up the user id, show them their email and that would be a better user-experience; it's slightly more secure to have the user enter his/her email again with the code for reset. This way the password reset still contains something you know and something you have to authenticate the user during the password reset process. The something you know is the email address, the something you have is the reset code (and possibly the user id).
If email is not required, and an attacker somehow got a hold of the reset password information but didn't know the user's email address, the attack would be able to use the guid & reset code to reset the password.
If email is required and the attacker does not know the email address then the attacker wouldn't be able to reset the password with just the reset information (user id/code).
Password reset, isn't really used that often and doesn't really have to be the most user-friendly part of your website. Better to be more secure.
I have a requirement where I need to log in a new user to a Meteor application by default, and take the user to the reset password route after that.
I looked into this documentation, but I don't think it would apply here, because the password is not known. Here's my use case in detail :-
A user invites another new user by providing the invited user's email ID. The application sends email invite to the user, asking them to be taken to a route which normally requires logging into the application.
The new user who receives the email invite, is not yet signed up with the application. So, they need to pick a password to log in to the invited area of the application.
Currently, I am using the meteor-useraccounts:core package; to trigger the resetPasswd route for FlowRouter. Using the onSubmitHook, one can redirect the user to the proper location after successful reset of the password.
However, I am not able to figure out how to first log in the user automatically. Because if the user is not logged in, the reset password page won't open. Instead, it would show some error, indicating unauthorized action.
How could a link be sent via mail to the invited user, which would automatically log in the user?
I looked into this documentation, but I don't think it would apply
here, because the password is not known.
That is right, and because of that, in order to achieve that you have to create an account for that e-mail at the time the user enters a link sent by e-mail. Or create the account at time of invitation.
So possible solutions:
1) create an account for an e-mail provided in query (http://app/login?email=blabla#google.com) for a route, random password, reset password e-mail sent immediately after the login. (create login automatically login the user). That would also required some security key, so that no-one could create lots of accounts on different e-mail addresses.
2) create account at time of invitation, take random password and send it as a query parameter of the link sent to the invited user. When user enters the site, you take that password (and e-mail) and login him with that, and immediately send reset password for that e-mail
I would like that the user after clicking on the registration link sent via email (after the complete the registration form), log-in automatically without that he must enter your username and password.
How can I do?
Thanks in advance
That is a security issue. You should verify the appropriate person received the email by asking for credentials. At most, you could probably store email in local storage/cookie and retrieve it on the login page. But please dont auto login.
A customer of ours complained about login password recovery using plain text password. The only workaround I know is auto-login with encripted username and passord in the query string.
What other options exist to increase the password recovery security?
Thanks.
You can send them a URL that lets them reset the password themselves.
You could create a database table that stores, at the very minimum, a user id and a hash value.
Send the user a link that includes the hash, and on the receiving page look up the associated information and allow the user to reset the password to the account. Which I'm hoping you store in the database as a hash value. Plain text passwords should never be stored or sent out.
Just be sure that the link either expires or is deactivated once the password is changed. Otherwise someone could visit that link whenever they want and change the password.
Along the same lines as Brandon's excellent answer, here is what we do:
Do not store passwords in plain text, or even a decryptable value. Always store passwords using a 1-way hashing algorithm. This means only the user can ever know what the plain-text password is.
When a user forgets their password, present them with a form where they enter their email address, and click submit.
When they submit their email address, create a table row with 2 major pieces: The first is a password reset token (we use a Guid for this). The token should be timestamped, so that you know when it was created, and when it expires (ours expire within 2 hours of submission). The second piece is a secret code that the user will have to enter in order to reset their password.
Send an email to the user, with a link to a page that will accept the token and secret code. When they click the link (or visit the page and enter the code manually), you can then present them with a page that lets them change their password without knowing its previous value.
Using a time-constrained token is a good idea, because if the user's email account is later compromised, the criminals can't use the email to reset the password -- assuming of course that the email account is not compromised within 2 hours of the password reset request.
I wouldn't send out the actual password of the account in plain text to the user's email address. The reason for this is because if someone hacked the users email address now they have their actual password. Most likely this password will be used for other systems as well.
The alternative is to send an encrypted querystring that links to that user and allow them to change their password based on some sort of security question or demographics you have specific to that user.
Facebook uses a matching of friends images to names. If you have their DOB and address you could use that (not that secure). Or you could set up specific security question and answers which would be better.