How to handle forgotten passwords?

  • (2 Pages)
  • +
  • 1
  • 2

24 Replies - 1081 Views - Last Post: 24 September 2013 - 06:14 AM Rate Topic: -----

#1 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

How to handle forgotten passwords?

Posted 23 September 2013 - 05:39 AM

This is more of a design question that a specific language question..

So, what do you do when a user forgets a password? What are best practices? Right now I have a "Forgot Password" button on the login screen that resets the password and generates an email with the new password to the email address the user registered with. Here are my questions:

1. Should I use a dropdown box to allow them to pick what user they are (right now there is only one user in the DB but I will change that soon)? I was wondering because they forgot their PW, what if they forgot their username too? Should I add a button for forgot username, and just reset everything?

2. Should I allow them to enter an email address they would like the email sent to? That doesn't seem very secure though, so maybe a bad idea.

Thank you!!

Is This A Good Question/Topic? 0
  • +

Replies To: How to handle forgotten passwords?

#2 Witchking  Icon User is offline

  • D.I.C Head

Reputation: 68
  • View blog
  • Posts: 188
  • Joined: 17-February 13

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:47 AM

I would have them enter an email address, and if that matches the email address of a user, send a newly generated password for that user, along with their username.
Was This Post Helpful? 2
  • +
  • -

#3 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:50 AM

That's a good idea! What if the email does not match? I guess at that point, after a couple of tries I should make them re-register?
Was This Post Helpful? 0
  • +
  • -

#4 andrewsw  Icon User is online

  • Fire giant boob nipple gun!
  • member icon

Reputation: 3515
  • View blog
  • Posts: 11,999
  • Joined: 12-December 12

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:53 AM

If they don't know their password, username or email :whistling: then.. they can just start over IMO ;)
Was This Post Helpful? 1
  • +
  • -

#5 tlhIn`toq  Icon User is offline

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5535
  • View blog
  • Posts: 11,857
  • Joined: 02-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:54 AM

You're out in the cyber world, right? You're on systems. What do you see being used elsewhere? What is a model you like? Do you like having a code sent by SMS to your phone? Do you like having secret validation questions like "What restaurant is your favorite?" Do you prefer the security of 3 strikes and you're locked out until you call in? There are certain norms that people expect now days, and if you look around a bit I'm sure you'll see them and some others.
Was This Post Helpful? 2
  • +
  • -

#6 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:55 AM

LOL yeah I guess that should have been pretty self explanatory huh? Sorry.. I blame Monday morning :whistling:

Seriously though,, this is such new territory for me, I keep questioning my own logic. Need to stop that.
Was This Post Helpful? 1
  • +
  • -

#7 Michael26  Icon User is offline

  • DIC-head, major DIC-head
  • member icon

Reputation: 359
  • View blog
  • Posts: 1,527
  • Joined: 08-April 09

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 05:56 AM

Enter email user entered during registration(you can also add in secret question), compare that email to UserID or UserName to validate it(you don't want to send your password to just any email address) then after validation can generate temp password that you will send to users mail, when user gets that email he has 24 hours to activate that temp password that he can later change. Is that good enough for you :)
Was This Post Helpful? 1
  • +
  • -

#8 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 06:00 AM

View PosttlhIn`toq, on 23 September 2013 - 07:54 AM, said:

You're out in the cyber world, right? You're on systems. What do you see being used elsewhere? What is a model you like? Do you like having a code sent by SMS to your phone? Do you like having secret validation questions like "What restaurant is your favorite?" Do you prefer the security of 3 strikes and you're locked out until you call in? There are certain norms that people expect now days, and if you look around a bit I'm sure you'll see them and some others.


I think I am just confusing myself. I will incorporate what I think should handle something, then 2 weeks later I'm all FACEPALM I forgot about this, this and this! This application is a bit unique in that there is only one user, I debated using UN/PW at all. I figured I needed that practice though, since I have never worked with them, especially since the next release will support more users. So here I am.

Right now the boss just wants a working release. I don't have time to incorporate everything I want, which is frustrating. Luckily, I have many months to beef it up for the next release. He wants this thing like yesterday, and is NOT a programmer/computer person. But, I suppose that's the way of the working world.

This post has been edited by synlight: 23 September 2013 - 08:08 AM

Was This Post Helpful? 0
  • +
  • -

#9 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3589
  • View blog
  • Posts: 11,158
  • Joined: 05-May 12

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 06:03 AM

View Postandrewsw, on 23 September 2013 - 08:53 AM, said:

If they don't know their password, username or email :whistling:/> then.. they can just start over IMO ;)/>


Unless you are eBay. After you create an account, when you try to enter a credit card or checking account number, it complains about that account number exists already. So creating a new account is useless.

The reason why I can't remember my username, email, and password is because I had used an MSN account, and I had declined the automatic conversion of MSN to hotmail. I had my username and password stored in PasswordSafe on a laptop, but laptop's hard drive seized up, and the backups I had were destroyed when my office got flooded. *sigh*
Was This Post Helpful? 0
  • +
  • -

#10 andrewsw  Icon User is online

  • Fire giant boob nipple gun!
  • member icon

Reputation: 3515
  • View blog
  • Posts: 11,999
  • Joined: 12-December 12

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 06:20 AM

Well, my suggestion wouldn't necessarily apply for a financial site, or personal information store, where there should always be some way (hopefully!) for the user to get re-attached. But for blogs, forums, most other sites..

Off-topic, but this discussion reminds me of a very useful site: mailinator.com to create free, disposable, email. It's useful where you are required to register for something, even though you don't want to ;)
Was This Post Helpful? 0
  • +
  • -

#11 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4496
  • View blog
  • Posts: 7,845
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 07:09 AM

*
POPULAR

I'll just throw out some general security advice (finally get to use my cert :P )

  • Don't tell the user which piece of info they got wrong. If you have a username and password, don't tell them "incorrect username" or "incorrect password", because this gives attackers more information than you should. It tells them they have a valid username, and it also allows them to brute-force a user list (by trying various usernames until they get a different error message). Instead, just say something like "login failed" or "username and password do not match".
  • Never email a user a password.
  • Never store passwords. Store salted password hashes. If you do not understand what this means, please say so, because this is of critical importance when dealing with secure systems. Storing passwords in plain-text or even in a reversible encryption is the cardinal sin of security.
  • If this were a web application, I'd suggest using password reset links. If a user doesn't know his password, you create a link and mail it to them. If they click the link within a given time, they get redirected to a reset page.

Was This Post Helpful? 5
  • +
  • -

#12 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 07:19 AM

I do understand a salted password hash, I just read a tut on it the other day. While my passwords are stored in plain text at the moment, it is on my TODO list this week.

It isn't a web app, it's a desktop application.. so if I can't email them the reset password, how do I get them the information after I reset it?
Was This Post Helpful? 0
  • +
  • -

#13 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4496
  • View blog
  • Posts: 7,845
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 07:24 AM

That's the problem, you know. If you're not using some central server for these kinds of things, you have to trust the application itself to be entirely self-contained. I'm not sure how I would handle that. Just how secure does this have to be?
Was This Post Helpful? 0
  • +
  • -

#14 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 07:28 AM

Meh. Not very secure. At this point, I'm basically looking at keeping employees out of the Admin role within the application.
Was This Post Helpful? 0
  • +
  • -

#15 Curtis Rutland  Icon User is offline

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4496
  • View blog
  • Posts: 7,845
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 07:36 AM

Then you can build password resetting into the Admin functionality, if you don't mind having you or tech support doing the reset when people forget. Otherwise, you could go with some simple security questions that will reset the user's password once answered.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2