Password recovery flow - Send Password recovery to any email?

Mobile Technologies Mobile Computing 2 years ago

0 1 0 0 0 tuteeHUB earn credit +10 pts

5 Star Rating 1 Rating
_x000D_ _x000D_ I am building a new MVC app. Considering this "forgot password" flow: 1)You enter an email. 2)You press "send recovery password". 3)An email awaits in the inbox, pressing the link in it brings you to "new password" screen. In phase 1, there is no limitations on the email you provide. (It may not even exist). Are there any major security flaws with this flow?

Posted on 16 Aug 2022, this text provides information on Mobile Computing related to Mobile Technologies. Please note that while accuracy is prioritized, the data presented might not be entirely correct or up-to-date. This information is offered for general knowledge and informational purposes only, and should not be considered as a substitute for professional advice.

Take Quiz To Earn Credits!

Turn Your Knowledge into Earnings.

tuteehub_quiz

Answers (1)

Post Answer
profilepic.png
manpreet Tuteehub forum best answer Best Answer 2 years ago
_x000D_ While in discussions with someone under the question, I figured I would go ahead and post how we handle password resets using a similar flow, and point out where we try and prevent malicious intent. Here is our flow: On the login form, there is a link for "forgot password" The forgot password screen in a simple textbox, where you can enter your email address. In our implementation, the email address is the username, but it shouldn't matter as long as each user has a valid email address attached to their account. User enters an email address and presses "Submit". IF the email address is associated with a valid account, we generate a GUID, store it in the password reset request table with an association to the requesting user account and set an expiration time of 30 minutes. IF the email address does not exist, we do nothing. No email is sent to anyone. Regardless if the email address is correct or not, we always show a "Thanks, if the email address you entered is correct, you will be receiving an email shortly with instructions on how to reset your password". This is important as you don't want a bad user using this form to try and discover user names. The user receives the email and clicks the link. This takes them to a reset password screen (with a new password/confirm new password textboxes) if the GUID/link is still valid. If it is not, we show a "this reset key is no longer valid" if the key is expired or does not exist. After reset, user is redirected to login screen to login to the application. Hope this helps. As others have said, use a good method to generate the reset password link, do not use any user identifying information in the link (someone could guess it, figure out your algorithm, etc).

No matter what stage you're at in your education or career, TuteeHub will help you reach the next level that you're aiming for. Simply,Choose a subject/topic and get started in self-paced practice sessions to improve your knowledge and scores.

Important Mobile Technologies Links