Geek Answers Handbook

Secure password reset without sending email

How can I implement the secure password reset function without sending email to the user? There is another safe bit of information that I store, and only the user needs to know, but it seems unsafe to just let the user update the password just because they know the 9-digit number.

Please note: user data is stored in a simple SQL table due to restrictions for real database users on the server I'm working on.

Any input would be appreciated.

Update:
Having tried OpenID and remembering that this server does not allow PHP (and thus cURL) to make any external requests, I again tried to send mail with PHP. Apparently, all my previous terrible experiences with mail () on this server are gone.

Thanks for all your data, I can take a look at OpenID again in the future.

+7
security php passwords
source share
4 answers

Punt on the password issue. Switch to OpenID. You do not need to worry about the reset password, and the user only needs a new password if he so desires.

it is a win-win.

+2
source share

Typically, identifying a user as real on the Internet requires a “select” model, in which the user “selects” his password reset, and an email is sent confirming that they either want it or reset, or that it was reset and that the new password reset.

Indeed, the only reasonably safe alternatives are those that use this method. Send an email, an SMS message to which they must answer, an automatic phone call, where they must punch numbers, etc.

The only method I can think of that does not use this system will be a security issue. Banks often use them for additional verification when users register or cannot register correctly several times. Sometimes they are also used as a "secret" code to retrieve a password, but even then it is usually sent by e-mail to the user, and not displayed on the page.

+1
source share

By not sending an email, you significantly limit yourself. One of the advantages of sending a reset password or a new password to someone’s email address is that you can rely on them to be the only person who has access to their email account.

However, you can use the "secret question" scheme to allow someone to reset their password. When this person creates his account, you need to catch a secret question and answer. Then you ask the user for this question and only allow resetting if they answer correctly.

I must warn you that this is not a good way to protect your password from unauthorized access. For a good article, read: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

0
source share

You have no way to find out who is trying to use the reset "Joe's" password. It could be Joe, or maybe someone poses as Joe.

An alternative to sending email is either calling one of Joe's phones using the one-time reset key, or sending an SMS message.

Calling Joe's phone with an audio message is easy from http://www.twilio.com/ But everyone can get a phone for Joe's office. Thus, you usually want to get an extra opportunity before calling. For example, a secret question / answer. Using the phone and the secret q & a, you made things tougher for the bad guys, but still doable by Joe.

Another idea is to send a reset message to someone who Joe trusts and who knows Joe. (Send by email or by phone / sms.) An option for this is to send to an employee who knows Joe, for example, his designated salesrep, HR rep, etc.

Use the message: send an email with street mail with the reset code. It will take a couple of days to get there, but mail theft is federal rap. See http://www.postalmethods.com/ If there are very bad negative results possible, this may be a good solution.

For any of the above, Joe will enter information when he sets up an account.

Another example is to require Joe to call the help desk and let the person interrogate him.

The bottom line is that no technique is perfect. See the history of twitter breaks: http://www.technewsworld.com/story/67612.html?wlc=1247790901&wlc=1248238327

Last thought: don't forget about antiphishing. Often done, letting Joe choose the image that the site will show him when he does something important. The idea is that a phishing site will not be able to replicate the user interface, thereby raising Joe's suspicions that he may not have reached the desired site.

0
source share

More articles:


All Articles