0

What is the most secure method to allow a website user to reset their password? I know you can send a unique url to their email but are there any other techniques people use? Let's assume the user does NOT recall their current password.

gloo
  • 2,490
  • 3
  • 22
  • 38

3 Answers3

1

The recommended way is to send a url with limited time hash, which is active for 15 - 30 mins, and revoked when the password is changed.

If the information is really secure then you'd probably want to look at how banks handle password resetting, which normally involves a phone call and a telephone banking password!

Treemonkey
  • 2,133
  • 11
  • 24
1

For example

  1. Send some code to sms (something you have - phone)
  2. Let related person confirm your identity (social networks, web of trust) /something you are/
  3. Send code by snail mail /something you are/
  4. Live operator call (something you know)

But some of them are vulnerable to social engineering attacks. Most secure is when YOU KNOW something AND YOU HAVE something and YOU ARE something. But it is hard to achieve.

Leos Literak
  • 8,805
  • 19
  • 81
  • 156
0

There is always security question which is being asked while the registration process. You can use that for resetting the password. You can also read this older post for the same.

Community
  • 1
  • 1
sam100rav
  • 3,733
  • 4
  • 27
  • 43
  • but user must supply both question/answear, because typical questions are easy to guess – Leos Literak Feb 24 '14 at 16:23
  • security question is old technique, and not secured. please read the 2nd answer here for the reason: http://stackoverflow.com/questions/2734367/implement-password-recovery-best-practice – OhadR Feb 24 '14 at 19:31