I'm struggling with the reset password function of a web app, the way i'm inclined to do it is by sending a token based url to the email of the user and than the user can access and reset its password, but is email a trusted way to carry such sensible data ?
-
Well it really is a duplicated question, sorry and thanks for the quick answers. – danillosl May 11 '15 at 18:54
1 Answers
"is email a trusted way to carry such sensible data" No.
Do many websites do it? Yes.
A saving grace is to make the link one-time-use-only and require the user to choose a new password immediately. That way, if an attacker does intercept the email and use it to hijack the account, when the legitimate user clicks on the link later, they will get an error message and know that something is wrong. As mentioned by @Xander, this is far from ideal, but at least it's something.
If you want better security, think about adding a second factor to the password reset tool, like sending a code to the user's SMS, or "where was your mother born?" type security questions, or any of the other standard second factor methods (should be able to get a good list by Google).
- 58,107
- 21
- 154
- 209