Comments on: Forgotten password interaction design http://www.jamesmansfield.id.au/forgotten-password-interaction-design/ UX designer - Melbourne Australia Sat, 13 Aug 2011 09:59:00 +1000 hourly 1 http://wordpress.org/?v=3.1.4 By: Ernie Bello http://www.jamesmansfield.id.au/forgotten-password-interaction-design/comment-page-1/#comment-5807 Ernie Bello Tue, 28 Jul 2009 16:29:32 +0000 http://www.jamesmansfield.id.au/?p=343#comment-5807 I will also heavily recommend against option 1, as not only will the email be insecure, but the database itself will be as well. In the unlikely -- but very real -- scenario that a web site's database is hacked, the hacker will also have access to everyone's password in plain text. As for the other options, I vote for #3 as well for usability. I will also heavily recommend against option 1, as not only will the email be insecure, but the database itself will be as well. In the unlikely — but very real — scenario that a web site’s database is hacked, the hacker will also have access to everyone’s password in plain text.

As for the other options, I vote for #3 as well for usability.

]]> By: Jeremy http://www.jamesmansfield.id.au/forgotten-password-interaction-design/comment-page-1/#comment-5806 Jeremy Tue, 28 Jul 2009 00:14:32 +0000 http://www.jamesmansfield.id.au/?p=343#comment-5806 Hi James, My preference is definitely for the third option. It means I can easily re-set the password (just by clicking on a link), without it being sent to me in plain text. You're right about the password encryption (or hashing), but this only precludes option 1. For option 2, the password is generated and sent, then only the hash of the password is stored. With regards to the email being intercepted, option 1 creates a much larger window of opportunity for an attacker: if someone intercepts that email, they are able to log into my account at any time in the future (or until I change my password). Also, I may have no idea that my password has been taken. For options 2 and 3, the attacker needs to be the first to see (or act on) the password reset email: once I've received it and set a new password, the contents of the email are useless to anyone else. If someone has intercepted the email and beat me to the 'change password' stage, then I can tell that this has happened (because the new password or link to click on is now invalid). I see option 3 as a more usable version of option 2: rather than having to click on a URL to get to your site, then cut & paste the new password, it's (effectively) encoded on the URL I click on. From there on, both cases can be identical. Cheers, Jeremy Hi James,

My preference is definitely for the third option. It means I can easily re-set the password (just by clicking on a link), without it being sent to me in plain text.

You’re right about the password encryption (or hashing), but this only precludes option 1. For option 2, the password is generated and sent, then only the hash of the password is stored.

With regards to the email being intercepted, option 1 creates a much larger window of opportunity for an attacker: if someone intercepts that email, they are able to log into my account at any time in the future (or until I change my password). Also, I may have no idea that my password has been taken.

For options 2 and 3, the attacker needs to be the first to see (or act on) the password reset email: once I’ve received it and set a new password, the contents of the email are useless to anyone else. If someone has intercepted the email and beat me to the ‘change password’ stage, then I can tell that this has happened (because the new password or link to click on is now invalid).

I see option 3 as a more usable version of option 2: rather than having to click on a URL to get to your site, then cut & paste the new password, it’s (effectively) encoded on the URL I click on. From there on, both cases can be identical.

Cheers,

Jeremy

]]>