a must read on how to properly design a secure password reset for your web application:
A high level summary is:
Never send password on email, but instead send a reset link to the account email address with CAPTCHA check, and include IP address of the requestor.
Make sure the password reset link is random and not a standard seed, and have a short time limit for expiration
On click of reset link, make user answer challenge response to secret question
Make user sign-on again after reset of password (instead of auto login), send a email to notify account owner that password have been successfully reset.
No comments:
Post a Comment