net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature
Related
I am faced with a beautiful enigma. In wordpress I have a widget that allows you to login with social login (google and facebook). When you login for the first time, the system automatically generates a password and username. This works well. I checked the database and password is correctly present as hashed.
Now, the problem is that if the user goes into profile settings and wants to change their password they have to enter current password first, but they can't know it since it was generated automatically.
I would like to give the user full control over the security of his account, so that he can change his password even if he is logged in with the social login.
So I foresee three possible solutions
Allow the password to be changed without entering the current one (but it seems insecure).
Email the automatically generated password (and I have no idea how I could do it). Or alternatively view it in the user's profile but I don't know how safe it is.
Disable social login and rely on the classic registration :)
Has anyone faced a similar situation before? Can you clarify this with some standard method / practice ?
You can allow the user to ask for a new password he/she specifies. The user will specify the password twice (password and confirm password fields) and then you:
encrypt the password the user asked for
store the encrypted value somewhere as password candidate (metadata, perhaps)
send an email to the user so he/she can confirm that he/she indeed asked for a password
once the user clicks on the link you have sent to him/her, replace the value of the password with the password candidate and remove the password candidate
Don't forget that the user is already logged in when he/she changes his/her password, adding an email validation to the password he/she asked for is pretty safe.
I have a list of people with all their personal information (name, first name, date of birth, email, etc.). I created an account for each of these people in my database. I'm using Firebase.
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
So I created a system using a custom token for authentication. I send them as a parameter of an URL to every one of my users.
When the user clicks on the link for the first time: he gets redirected to the signup page with all the fields pre-filled (name, date of birth, email, etc) except for the password. He types the password he wants and gets signed up.
When the user clicks on the link every other time: he gets redirected to the login page. A simple email + password interface with the email field already pre-filled. He types his password and gets logged in.
This is working great BUT I'm wondering: is this bad practice to do so?
Is this insecure to let anyone who gets the email create an account in the name of my user? Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
If you already have the user's information, and you are allowed to process it, then it's a good practice to not let the user do something that it's already done.
is this bad practice to do so?
Not at all. That seems to me like a practice that is present almost everywhere. If you want to edit the profile data, you always have the existing data already pre-filled. The user has just to verify it or change it if needed.
Is this insecure to let anyone who gets the email create an account in the name of my user?
That sounds not like the best option if someone else can use that URL and create an account on behalf of the user. Most likely you should consider letting the user create the account only if it can validate the data through an SMS, or any other service that is specific to that user in particular.
Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Yes indeed. You should always prepare for that. Never trust the users. There's not a perfect world out there.
I have my site configured to login with email/password (no user name).
I have login, forgot password, and password reset pages working as expected, largely based off of this guide and a lot of poking around. I'm at a bit of a loss looking for a more comprehensive or "advanced" guide for controlling user account behavior.
Currently, a registered user can "invite" another user by simply putting in their email address. This person receives an email which brings them to the login screen, but since there is no password set yet, this person must
Click on the forgot password link
Input their email
Follow the link from the reset email and set their password.
I'm trying to work out how I would get the initial invite email to land the person on a "set password" page.
Even a link to the relevant material is greatly appreciated! I have a feeling I may just be searching for the wrong things.
I haven't done it myself, but off top of my head, as an idea (requires Iron-Router ($ meteor add iron:router)):
1) Send a link to an invited user with the query in the link that equals this user's email (q=email#address.com).
2) Use Iron Router to fetch that query (this.params.query using, perhaps, onBeforeAction method).
3) Put the query into a Session.
4) Within Template.myTemplate.helpers() create a new helper that will display the session.
5) Inside your template: <input type="text" name="user_email_from_session" value="{{helper}}">
Hopefully my approach is not too newbie, but even if so, maybe it will serve you as an anti-inspiration :)
Meteor calls "invite" emails "enrollment" emails.
1) Create a new user on the server (doesn't need a password set).
2) Call Accounts.sendEnrollmentEmail(userId) on the server.
3) User receives an email with a link to set their initial password.
Docs: http://docs.meteor.com/api/passwords.html#Accounts-sendEnrollmentEmail
I have my little web application, with simple registration strategy - provide email and password and you are done.
Recently bot's starting to attack my application, registering big number of users from non existent emails using the same passwords.
I want to prevent that. My idea is to extend login verification, but check the existance of email address. Do you know any web services (prefereably WCF) that could do that?
This is definitely not the way to solve this problem. Try one of these
Allow user to enter only username and send auto-generated password to their email.
Send a verification link to the user email and approve him/her only after verification
This has been discussed on How to check if an email address exists without sending an email? . Basically there are ways verify email addresses, but in practice none of them is reliable. However, you can still check via SMTP, and if the server denies the existence of the expected user, send him an email with a verification link anyway. This does not prevent spammers from setting up fake servers that acknowledge the existence of any user, of using other peoples email addresses, but it's probably the closest you can get to your initial requirement of having no verification email.
I would recommend you to update your registration form. Try to use something tricky for bots. For example, post the form via AJAX with JSON object wrapper.
Try a service like: http://elasticemail.com/
You can use the api to check if the email was delivered. There is also a 'bouce list' you can check.
I am developing an app which I should design a page for users who forget passwords and send email to them the new passwords. I am using ASP.NET Membership and password format should be hashed.
My problem is when sending mail has been failed, password has been changed and wow! no work can be done.
what is your solution?
You should send users an email with a link, where they can confirm password reset (otherwise you could reset passwords to other users by guessing their emails). On the linked page users would then confirm password reset (or even change it themselves).
But it's a better practice not to send passwords in any way shape or form. It's the most secure.
The process
Users request password reset by their email.
They receive an email with a link
Theyclick the link and provide a new password that gets hashed right away and stored in the system.
You could temporarily set the passwordFormat value for affected users to "Clear" in the aspnet_Membership table, assign them a password, and then work on getting the e-mail working.
Setting the aspnet_Membership.passwordFormat value to 0 changes the format to Clear text, which means it's not encrypted. It's not secure, but will allow login. After that, you can reset the password and it'll be changed back to 2 (Encrypted).
The user should change their password again, and hopefully the email will succeed.
If they entered an incorrect address, they should contact an administrator who can correct their email address.
If it is possible to tell if an e-mail is successfully sent before you actually commit the change to the database this would be a good option. This isn't always the case, but maybe it could work for your application.
Usually with my experience ASP will thrown an exception if the e-mail fails. If this happens don't do anything in the DB, if the mail goes through then change the password. That doesn't mean they will get the e-mail but you can't account for problems during travel of the e-mail anyway. The option above would apply after this fails. ;)
I don't know the support for such a feature in asp.net.
But, some website send you an email with a link to click (that expires in some days). Clicking which, will make sure you are committing to that action (i.e. password is changed only after they receive email & click the link they received).
ASP.NET also supports the question and secret answer approach to password recovery if email doesnt work.