For Password Recovery my vb.net application send an email to the user with a link in the following format.
http://<password-reset page url>?id=<userid>&tpr=<times Password Reset>&time=<time when the link was generated>
Times Password Reset is the number of time the user has used a password reset link to reset the password. It's value in the database and the value in query string are matched. To ensure the same password reset link cannot be used twice to reset the password.
Time is use to check that not more than 24 hours have been passed before the link is used.
And userid is used to identify the user.
If all the conditions matches, the user is prompted to change his/her password.
All the fields in the in the encrypted with AES.
I wanted to know if this method is secure?
Quick answer: No.
Forget all the parameters you use in the URL. Just generate one random, non-guessable string (UUID for example) and put it in the URL as parameter. Then send that URL to the user via the email adress you have stored for him. Store the UUID together with all the parameters you have in your URL now in your database. When the user clicks the link, validate all parameters (timestamp, and so on) and let him set a new password.
Se also the OWASP Cheat Sheet on Password Reset.
Related
I want to make a password reset functionality for protected pages in Wordpress for non logged in users.
The email of these people is stored in our database, and the page has a default random password.
Based on their e-mail address which they type in in a login form, if that email address is found in our database,
they would receive an email with a reset link to that email address, which would point to a password reset page, where they could do the change.
Is this possible in Wordpress in a way that is secure too. How would I go about it?
Yes it is possible using the below 15 steps...
Create password reset page with input for user email address
Post user email address to same page
Query database table to to verify email address belongs to a registered user
Create random string of characters, recommended 32 characters long
Store random string in database table
Create password reset URL
Password reset URL should direct to password reset page on your site
Include the random string as a query parameter in the password reset URL
Include the user email address as a query parameter in the password reset URL
Email password reset URL link to user
When user click on the password reset URL link it will open the password reset
page
Capture the random string and user email query parameters
Query database table to to verify email address belongs to a registered user
Crosscheck the the random string query parameter associated with the verified email address against the value stored in step 5
If match, proceed to allow user to change password value
Given the following scenario:
I have an email address.
I want the owner of that email address to click on a link that I send to him by email.
The page that I want the user to visit must be protected by a password, this password can be included in the mail that I send to him.
The site that the user is interacting with is using the simple membership provider for the regular users, but I don't want to use that system for this special one time visitor, as it leads to more tasks administering and cleaning up.
What are my alternatives?
When you send the email to the user, generate a random password and save it in the table against the email address. You will also store some unique id that you will pass it to the link you provide in the email. This unique id in the url will be used to identify the email address and also the one time password (OTP). It is also better to have an expiry date for the password. So your database table will have the following columns.
Unique Link Id
Email address
One Time Password
Expiry Date
That's it. When the link is clicked, access the unique id, ask OTP to the user and validate.
A customer of ours complained about login password recovery using plain text password. The only workaround I know is auto-login with encripted username and passord in the query string.
What other options exist to increase the password recovery security?
Thanks.
You can send them a URL that lets them reset the password themselves.
You could create a database table that stores, at the very minimum, a user id and a hash value.
Send the user a link that includes the hash, and on the receiving page look up the associated information and allow the user to reset the password to the account. Which I'm hoping you store in the database as a hash value. Plain text passwords should never be stored or sent out.
Just be sure that the link either expires or is deactivated once the password is changed. Otherwise someone could visit that link whenever they want and change the password.
Along the same lines as Brandon's excellent answer, here is what we do:
Do not store passwords in plain text, or even a decryptable value. Always store passwords using a 1-way hashing algorithm. This means only the user can ever know what the plain-text password is.
When a user forgets their password, present them with a form where they enter their email address, and click submit.
When they submit their email address, create a table row with 2 major pieces: The first is a password reset token (we use a Guid for this). The token should be timestamped, so that you know when it was created, and when it expires (ours expire within 2 hours of submission). The second piece is a secret code that the user will have to enter in order to reset their password.
Send an email to the user, with a link to a page that will accept the token and secret code. When they click the link (or visit the page and enter the code manually), you can then present them with a page that lets them change their password without knowing its previous value.
Using a time-constrained token is a good idea, because if the user's email account is later compromised, the criminals can't use the email to reset the password -- assuming of course that the email account is not compromised within 2 hours of the password reset request.
I wouldn't send out the actual password of the account in plain text to the user's email address. The reason for this is because if someone hacked the users email address now they have their actual password. Most likely this password will be used for other systems as well.
The alternative is to send an encrypted querystring that links to that user and allow them to change their password based on some sort of security question or demographics you have specific to that user.
Facebook uses a matching of friends images to names. If you have their DOB and address you could use that (not that secure). Or you could set up specific security question and answers which would be better.
My client requirement for the password recovery is,
when user enters his email/username, system will email him a unique link. In users email, when the user will click the link,
system will take the user to the change password page. User will type a new password and his password will be changed.
Any idea how to do this??
Right now the change password page is only accessable for the logged in users. How do I let a user in to the page by a external link click?
This is a kind of a "Password change process":
Create a database table with the userId, createDate, closeDate, and a UUID
send the mail with a link to your page that has the uuid from the prcoess database table
if the user enters the page you check if the process is still open (closeDate is null)
user can change password
you set the closeDate
First check the user Email IF it exists then send him/her a unique email of the link
Example:
link : http:\\www.abc.com\passwordrecovery.aspx?ID="+Guid.NewID()
In this way you will send a unique email to every user also store this ID in the user table so when the user click the link you will be able to verify sender.
On your Password Recovery Page Check the value of Query String variable ID
and matched the ID of the user in the database if they are equal then show the password page of the required user.
Hope you understand it.
In your link use a unique indentifier as the query string. Intercept the params on your page load event and look in the database if there is a match.
I have a simple web application set up where admins can create users. Users do not create themselves. All an admin has to do is enter a username and an e-mail and a temporary password is sent to the user for them to login. This e-mail is sent in plain text format. If the user is logging on for the first time, they are required to change their password and enter a security question and answer. The user obviously has to know their temporary password in order to login for the first time and this is the only way I know of letting them know (through e-mail). The other option would be to have the admin call the user and tell them over the phone or in person their temporary password, but this is not practical. How could I handle a situation like this?
I typically use a temporary url based on an invite record on the back end. Essentially you create an invite record and generate a hash based on some information perhaps the users email address, a timestamp and a random value. Store the hash as part of the invite record and then send them a url with the hash as the parameter.
When they click the link lookup the invite and validate that it exists and has not been used - then allow them to setup their password and invalidate the invite.
It gets rid of the need to send any sort of password and you can set an expiry on your invite records if you want as well.
The scenario you describe is very common- emailing a temporary password and requiring it to be changed on first login. Unless you have a specific problem with this model I see no reason not to use it. Having an admin call users can get complicated- I would avoid this at all costs.
You can generate a custom url with a password and user hash as argument where the user has to log itself. The hash will be difficult to retrieve if the attacker does not have the information