Your reset password must be cryptographically random - this means that, given the set of tokens used, the next token should be impossible to guess. It should also cover a sufficiently large set of possible values ββthat brute force tries all of them impractically slowly.
You can make changes so that the latter work with smaller sets of possible values ββ- for example, you can add a delay of 1 with the password reset page / action before checking the marker. Your users will notice a delay on a rarely used page, but attackers will not be able to quickly launch many tokens.
So first you need to get a cryptographically random number:
var random = new byte[8]; using (var rng = System.Security.Cryptography.RandomNumberGenerator.Create()) rng.GetBytes(random);
I put 8 bytes here, but you can do it any length.
Then you need to do this in a beautiful copied line. You can do this with a Unicode conversion, but I find base 64 more reliable:
Convert.ToBase64String(random).TrimEnd('=');
Using this with bytes 8 , you get 64 bits of possible values ββand a string of 10 char. Using 4 will give you 32 bits (possibly with a slow token check on a site with a low degree of protection) and 5 char.
Keith
source share