I’m working on a Register, Sign up, Join or whatever you think best to call it process for an online application. Where I’m at now (after deciding to go with “Join” by the way) is what’s the best process for those who have forgotten their password. As I currently see it (from testing some) there are three main ways to do it (please let me know if there are others worth considering) and these are:
- Emailing the current password to the user,
- Emailing a new password to the user and asking them to change this when they come back to the site, and
- Emailing the user a link which they click on and then reset their password on the website.
Now my preference is for the easiest option, number 1, in that it is the easiest and simplest user experience. I do however realise it’s not the most secure but this is where it gets murky for me. I realise that emails are not very secure and can be easily intercepted but my feeling is that if someone can intercept an email then none of those proposed approaches is secure so go with the easiest for the user.
The only thing I can think of is that in options 2 and 3 the password is not actually known by the service – that it is somehow encrypted in the database and can not be pulled out and converted to text as such?
Your thoughts, preferences, views and expertise would be appreciated.
Comment by Jeremy — July 28, 2009 @ 10:14 am
Hi James,
My preference is definitely for the third option. It means I can easily re-set the password (just by clicking on a link), without it being sent to me in plain text.
You’re right about the password encryption (or hashing), but this only precludes option 1. For option 2, the password is generated and sent, then only the hash of the password is stored.
With regards to the email being intercepted, option 1 creates a much larger window of opportunity for an attacker: if someone intercepts that email, they are able to log into my account at any time in the future (or until I change my password). Also, I may have no idea that my password has been taken.
For options 2 and 3, the attacker needs to be the first to see (or act on) the password reset email: once I’ve received it and set a new password, the contents of the email are useless to anyone else. If someone has intercepted the email and beat me to the ‘change password’ stage, then I can tell that this has happened (because the new password or link to click on is now invalid).
I see option 3 as a more usable version of option 2: rather than having to click on a URL to get to your site, then cut & paste the new password, it’s (effectively) encoded on the URL I click on. From there on, both cases can be identical.
Cheers,
Jeremy
Comment by Ernie Bello — July 29, 2009 @ 2:29 am
I will also heavily recommend against option 1, as not only will the email be insecure, but the database itself will be as well. In the unlikely — but very real — scenario that a web site’s database is hacked, the hacker will also have access to everyone’s password in plain text.
As for the other options, I vote for #3 as well for usability.