What do you do when a user forgets their password? There are a number of different approaches that can be taken. For an internal user within an organization, it usually means having to phone up the helpdesk.
But where an application is public-facing, running a helpdesk is usually cost-prohibitive therefore, self-service functionality is provided.
The challenge when allowing a user to self-service is that you could potentially open up a number of avenues for attack.
For example, error messages displayed on the screen can indicate if a user is valid or not. Which would make it quite easy for an attacker to script a variation of usernames and get responses to build up a list of valid ID’s.
The approach I’ve seen used quite well in a number of instances to allow a user to reset their password if they’ve forgotten it, is to ask some qualifying questions to establish the authenticity of the user.
Then email them a unique tokenized URL to their registered email address. You can increase security by giving the URL a fixed life of a few hours and ensuring it can only be used once.
Finally, once a user has clicked through the URL and successfully changed their password, email them a confirmation of successful password change.
Don't forget to like the video if it has been of any use to you. As always, I'm easy to stalk:
J4vv4D.com
@J4vv4D
Facebook.com/J4vv4D
youtube.com/infoseccynic