what is the best practice for forgot password process?
I am currently developing a c# web application that allows users to login with a password. A feature that I need to include is a forgot password function.
What is the recommended process for forgot password?
I was considering this:
- User clicks forgot password, enter email address
- Email sent
- Click on link in email (link only valid once and within time period)
- Taken to the site and asked to enter new password (should they also give answer to security question?)
- Password changed, email sent to user of such
- User now can log in with new password
Answer
Your idea looks solid, but I would add some other considerations:
- Be sure that the token you are generating in the email using is using a the .Net Framework crypto classes designed for randomization, not something that seems random but is not designed for that purpose.
- Take no action on the account from the sending of the reset email (otherwise people will be able to lock other people's accounts if they know their email)
- Add a rate limiter on how many resets per hour can be generated for a given email. Otherwise somebody could DOS a user by: (a) using x bad passwords to lock the account and then (b) generating reset emails for them faster than the email system can deliver.
- Where possible defer to other systems such as OpenID. It's easy to get things wrong when you roll your own.