How to handle forgotten passwords?

  • (2 Pages)
  • +
  • 1
  • 2

24 Replies - 1048 Views - Last Post: 24 September 2013 - 06:14 AM Rate Topic: -----

#16 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3552
  • View blog
  • Posts: 11,010
  • Joined: 05-May 12

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 08:05 AM

In the good old DOS days, some programs would detect if you were holding down the SHIFT, CTRL, or ALT key while starting the program. If the key was held down, then the program knew to run in reset mode, or admin mode.
Was This Post Helpful? 0
  • +
  • -

#17 no2pencil  Icon User is offline

  • Toubabo Koomi
  • member icon

Reputation: 5247
  • View blog
  • Posts: 27,070
  • Joined: 10-May 07

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 02:45 PM

In php I have the user enter an email address at registration time. Then when they click 'forgot password', the confirmation is sent to that address only. In that email is a link to reset the password, with a generated 'key'. That key is stored in the db for that user. The forgot password option is then tripped in the db from zero to 1, false to true, whatever. When the link is followed, verify that the keys match, & force the user to create a new password. Blank the key, 'forgot' from 1 to zero, & then user can only log in with username & password, & not the key.
Was This Post Helpful? 1
  • +
  • -

#18 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4469
  • View blog
  • Posts: 7,780
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 02:55 PM

That's a great model for online applications. But apparently this one is a strictly local app with its own local DB, so that has its own challenges.
Was This Post Helpful? 0
  • +
  • -

#19 Atli  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3718
  • View blog
  • Posts: 5,989
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 03:15 PM

The way I see it, you can't issue a password reset without the user verifying his/her identity. In web applications this is easily solved using email addresses, but in local applications that same logic still has to apply. You'd have to build in some sort of identification method besides the password, or a password reset feature will just server as a "hijack account" feature for malicious users.

Perhaps you could integrate an email or a phone number into the local app as an identification method, so that when an account is created and email/phone is required, only to be used in case the account needs to be verified for things like password recovery. The local app could send a key in an email/text that could be entered into the local app for the purpose of resetting the password.

Then there are things like two-step verification, where you have an app or device generating codes that change every few seconds, and the code has to be entered along with the password. That tends to make things a hell of a lot more secure, though I don't really know how you'd implement that on your own.
Was This Post Helpful? 0
  • +
  • -

#20 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4469
  • View blog
  • Posts: 7,780
  • Joined: 08-June 10

Re: How to handle forgotten passwords?

Posted 23 September 2013 - 03:22 PM

Personally, I don't like making people log in to local apps. They've already logged into Windows. Why not grab their windows login ID and use that? If you're on a corporate network, odds are they use Active Directory, which is even better. You can query into that for all their details, and automatically create a login for them. That way you can track who does what, but you don't have to manage a username/password. Of course, this is only for apps where you trust the user to not leave their PC unattended while logged in, etc...
Was This Post Helpful? 0
  • +
  • -

#21 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 24 September 2013 - 05:21 AM

The way this application works in a bit unusual. It will be deployed in a setting where there are multiple technicians using one work station throughout the day, not using their own Windows user. So, tech1 will hop on and log in, do what he has to do, then log out. Then later tech2 may need to use the app, so he will log in and do what he has to do. Supervisior will use it off and on throughout the day, etc.

For this bare bones release, I am using the automated email with password reset. When the user logs in with the reset password, the app will force them to change it. Security needs are minimal, and I am just setting the stage for more complicated user auth in our next release. I really want to thank everyone for the input!! It was extremely helpful.

This post has been edited by synlight: 24 September 2013 - 06:03 AM

Was This Post Helpful? 0
  • +
  • -

#22 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 3552
  • View blog
  • Posts: 11,010
  • Joined: 05-May 12

Re: How to handle forgotten passwords?

Posted 24 September 2013 - 05:59 AM

If that is the environment you'll be running in, I would take some extra time to research how various POS (point of sale) systems manage security. If you know anybody who works with/for Starbucks, I would try buying them some coffee and ask some deeper questions about how they manage their registers. They seem to have a pretty painless system of having baristas swapping and jumping on the register, and doing any manager overrides as needed. On the other extreme, I've gotten the impression that supermarkets have a lot of ceremony attached to logging in a checkout clerk when their shift starts, and manager overrides sometimes involve physical keys.
Was This Post Helpful? 1
  • +
  • -

#23 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 24 September 2013 - 06:02 AM

That's an excellent idea! I actually do have a friend that works at SB. And for me, painless is what I want the system to be. Well, painless, but secure (next release). This release is going to be free/low cost addon so we are going as simple as possible.
Was This Post Helpful? 0
  • +
  • -

#24 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2257
  • View blog
  • Posts: 9,445
  • Joined: 29-May 08

Re: How to handle forgotten passwords?

Posted 24 September 2013 - 06:07 AM

It should be secure from the start. Storing plain passwords is bad idea to begin with.
Store some hashed version of instead.

The email verification method you get sent a link to verify the email address first.

Leave security to the experts and specialist, because it more the likely you'll get it wrong.
Was This Post Helpful? 0
  • +
  • -

#25 synlight  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 89
  • View blog
  • Posts: 582
  • Joined: 14-September 11

Re: How to handle forgotten passwords?

Posted 24 September 2013 - 06:14 AM

View PostAdamSpeight2008, on 24 September 2013 - 08:07 AM, said:

It should be secure from the start. Storing plain passwords is bad idea to begin with.
Store some hashed version of instead.

The email verification method you get sent a link to verify the email address first.

Leave security to the experts and specialist, because it more the likely you'll get it wrong.


The passwords will be hashed before it is released.

I can't send a link, this is a local app, the link would lead to nowhere. Instead, I am restricting password resets to the email that the user registered with.

Unfortunately, there is no expert to leave this to. I am the only developer working here, and I am learning as I go. If I get ready for a large scale release in the future and feel like there are security flaws that I can't handle, then we will contract someone to write that part of the code for sure. I know how important it is. :smile2:
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2