A customer of ours complained about login password recovery using plain text password. The only workaround I know is auto-login with encripted username and passord in the query string.
What other options exist to increase the password recovery security?
Thanks.
You can send them a URL that lets them reset the password themselves.
You could create a database table that stores, at the very minimum, a user id and a hash value.
Send the user a link that includes the hash, and on the receiving page look up the associated information and allow the user to reset the password to the account. Which I'm hoping you store in the database as a hash value. Plain text passwords should never be stored or sent out.
Just be sure that the link either expires or is deactivated once the password is changed. Otherwise someone could visit that link whenever they want and change the password.
Along the same lines as Brandon's excellent answer, here is what we do:
Do not store passwords in plain text, or even a decryptable value. Always store passwords using a 1-way hashing algorithm. This means only the user can ever know what the plain-text password is.
When a user forgets their password, present them with a form where they enter their email address, and click submit.
When they submit their email address, create a table row with 2 major pieces: The first is a password reset token (we use a Guid for this). The token should be timestamped, so that you know when it was created, and when it expires (ours expire within 2 hours of submission). The second piece is a secret code that the user will have to enter in order to reset their password.
Send an email to the user, with a link to a page that will accept the token and secret code. When they click the link (or visit the page and enter the code manually), you can then present them with a page that lets them change their password without knowing its previous value.
Using a time-constrained token is a good idea, because if the user's email account is later compromised, the criminals can't use the email to reset the password -- assuming of course that the email account is not compromised within 2 hours of the password reset request.
I wouldn't send out the actual password of the account in plain text to the user's email address. The reason for this is because if someone hacked the users email address now they have their actual password. Most likely this password will be used for other systems as well.
The alternative is to send an encrypted querystring that links to that user and allow them to change their password based on some sort of security question or demographics you have specific to that user.
Facebook uses a matching of friends images to names. If you have their DOB and address you could use that (not that secure). Or you could set up specific security question and answers which would be better.
Related
For Password Recovery my vb.net application send an email to the user with a link in the following format.
http://<password-reset page url>?id=<userid>&tpr=<times Password Reset>&time=<time when the link was generated>
Times Password Reset is the number of time the user has used a password reset link to reset the password. It's value in the database and the value in query string are matched. To ensure the same password reset link cannot be used twice to reset the password.
Time is use to check that not more than 24 hours have been passed before the link is used.
And userid is used to identify the user.
If all the conditions matches, the user is prompted to change his/her password.
All the fields in the in the encrypted with AES.
I wanted to know if this method is secure?
Quick answer: No.
Forget all the parameters you use in the URL. Just generate one random, non-guessable string (UUID for example) and put it in the URL as parameter. Then send that URL to the user via the email adress you have stored for him. Store the UUID together with all the parameters you have in your URL now in your database. When the user clicks the link, validate all parameters (timestamp, and so on) and let him set a new password.
Se also the OWASP Cheat Sheet on Password Reset.
I modified register usercontrol with my custom fields. In this control it doesn't have password field. I am generating password randomly with Membership.GeneratePassowrd() method. I am sending email to the user after registering using Membership.Getuser(username).GetPassword() method.Every thing is fine when i kept the PassowrdFormat=Clear in web.config file. Now i want to change to passwordFormat=Hashed. But if i use the passwordFormat as Hased then it is unable to retrieve the password. Bottom line is i want to send the password to the user which is hashed one. What is the workaround for this one. I am searching in google, but no suitable answers were found. It would be great full if any one give your helping hand.
I followed these link1, link2 but didn't give any solution.
As far as I am aware it's not possible to derive the plain text password from the hashed password stored in the database. If you need to send the plain text password via e-mail then you will need to keep track of it separately.
Depending on how your code is written it could just be as straightforward as saving the result of Membership.GeneratePassword() to a string variable and ensuring you send that in the e-mail and not any password values retrieved from the database.
This question already has an answer here:
Closed 12 years ago.
Possible Duplicate:
sending to an email with contact form asp.net
How to send email from ASP.NET page using C# as for forget password, password will be automatically emailed to the alternate id. I need how is it possible to send email from ASP.NET page using C#.
There is no shortage of articles and tutorials on this.
Side note: Being able to email the user their password implies that you're storing their password in plain text. Please, please don't do that. Passwords should be stored in an encrypted form. If the user forgets their password, email them a temporary link for them to reset their password.
You could use the SmtpClient class to send an email in a .NET application.
What you are suggesting sounds like a security risk. It is inadvisable to send a password through email, since this assumes your are storing the plain text password somewhere. Since you should only know the salted hash of the password, you probably want to make the user reset their password instead.
I suppose if you still have some reason to send an email you can check out an extensive tutorial here to start. Seriously though, You can compromise all of your users security if you are not hashing there passwords, and even more so if you are emailing them out.
The short answer is, as stated above (+1'd btw), to use the SmtpClient class.
However, it's dangerous to go emailing passwords around. As a rule of thumb:
Don't send passwords in clear text
Don't store passwords in clear text
When storing a password (if you don't have some framework that does all this for you)
Create a salt
Append the salt to the password
Hash the resulting string
Store the salt and resulting hash
Discard the password
When authenticating, add the salt to
the newly provided password, hash the
resulting string, and compare to your
stored hash
If a user has forgotten their password, send that user an email containing a one-time use, time-sensitive (expires in 1 hour?), unique-link to reset his/her password. It's also a good practice to require the user to manually provide his/her account name or other identifying criteria on the password-reset form.
I have a simple web application set up where admins can create users. Users do not create themselves. All an admin has to do is enter a username and an e-mail and a temporary password is sent to the user for them to login. This e-mail is sent in plain text format. If the user is logging on for the first time, they are required to change their password and enter a security question and answer. The user obviously has to know their temporary password in order to login for the first time and this is the only way I know of letting them know (through e-mail). The other option would be to have the admin call the user and tell them over the phone or in person their temporary password, but this is not practical. How could I handle a situation like this?
I typically use a temporary url based on an invite record on the back end. Essentially you create an invite record and generate a hash based on some information perhaps the users email address, a timestamp and a random value. Store the hash as part of the invite record and then send them a url with the hash as the parameter.
When they click the link lookup the invite and validate that it exists and has not been used - then allow them to setup their password and invalidate the invite.
It gets rid of the need to send any sort of password and you can set an expiry on your invite records if you want as well.
The scenario you describe is very common- emailing a temporary password and requiring it to be changed on first login. Unless you have a specific problem with this model I see no reason not to use it. Having an admin call users can get complicated- I would avoid this at all costs.
You can generate a custom url with a password and user hash as argument where the user has to log itself. The hash will be difficult to retrieve if the attacker does not have the information
I am developing an app which I should design a page for users who forget passwords and send email to them the new passwords. I am using ASP.NET Membership and password format should be hashed.
My problem is when sending mail has been failed, password has been changed and wow! no work can be done.
what is your solution?
You should send users an email with a link, where they can confirm password reset (otherwise you could reset passwords to other users by guessing their emails). On the linked page users would then confirm password reset (or even change it themselves).
But it's a better practice not to send passwords in any way shape or form. It's the most secure.
The process
Users request password reset by their email.
They receive an email with a link
Theyclick the link and provide a new password that gets hashed right away and stored in the system.
You could temporarily set the passwordFormat value for affected users to "Clear" in the aspnet_Membership table, assign them a password, and then work on getting the e-mail working.
Setting the aspnet_Membership.passwordFormat value to 0 changes the format to Clear text, which means it's not encrypted. It's not secure, but will allow login. After that, you can reset the password and it'll be changed back to 2 (Encrypted).
The user should change their password again, and hopefully the email will succeed.
If they entered an incorrect address, they should contact an administrator who can correct their email address.
If it is possible to tell if an e-mail is successfully sent before you actually commit the change to the database this would be a good option. This isn't always the case, but maybe it could work for your application.
Usually with my experience ASP will thrown an exception if the e-mail fails. If this happens don't do anything in the DB, if the mail goes through then change the password. That doesn't mean they will get the e-mail but you can't account for problems during travel of the e-mail anyway. The option above would apply after this fails. ;)
I don't know the support for such a feature in asp.net.
But, some website send you an email with a link to click (that expires in some days). Clicking which, will make sure you are committing to that action (i.e. password is changed only after they receive email & click the link they received).
ASP.NET also supports the question and secret answer approach to password recovery if email doesnt work.