1

On occasion we want to create a user account for important users who we've been in touch with in advance.

When they then visit our site, the ideal UX scenario is that they complete a third party form (generated by HelloSign) first, and change their password second.

Is there a good way to do this? I looked at eg this thread on sending an initial password via email, which is the solution that first occurred to me. The top-voted response recommends against the practice in favour of getting a log in/reset link, but as far as I understand, the point of doing it via token would be to prevent any other activity before the password has been changed. Is there any secure alternative?

Community
  • 1
Sasha
  • 11
  • 1
  • 2
    Possible duplicate of [Why are one time password reset links safer than one time passwords?](http://security.stackexchange.com/questions/148862/why-are-one-time-password-reset-links-safer-than-one-time-passwords) – SilverlightFox Jan 30 '17 at 13:49
  • @SilverlightFox related, but not duplicate. Question is about accepting user input before changing passwords AND one-time password change links. – Mindwin Remember Monica Jan 30 '17 at 14:18
  • @Mindwin: [My answer there](http://security.stackexchange.com/a/148925/8340) covers both. – SilverlightFox Jan 30 '17 at 14:20
  • @SilverlightFox It does not answer if there is a secure alternative to get user to input data before changing the password, or prove that getting user data before changing passwords cannot be done securely. see thel3l answer below. – Mindwin Remember Monica Jan 30 '17 at 16:38

1 Answers1

4

I'd recommend that you do the following:

Once you receive their submission, create their account and set up a random password for the password field. Then send them a password reset link that'll also double up as a email verification link. From there, log them in normally.

thel3l
  • 3,394
  • 11
  • 24