Password Recovery Best Practices
Most of what I will mention here has been taken from experience and what I have read elsewhere about password recovery implementations. It is possible that this is not the best way for your project. Always take the security of user data seriously.
Password recovery is one of the core features in user accounts management. Users should be given the opportunity to reset their passwords without a real person intervening, and this procedure should be designed to be secure. Before developing the recovery system, it is crucial to take note that passwords should never be stored in plaintext in your database. Always hash your passwords (after adding a salt first) before storing. This will make sure that in the unfortunate event of a database hack, your user account passwords will not be visible and the hackers will not be able to access other accounts of the user which might be using the same password.
The most frequently used way to do a password restore is to email a password recovery link to the user’s email address on record. This is better than asking security questions for two reasons:
- People usually are very lax with their security questions and these can be guessed or even socially engineered from them easily.
- Emailing the password recovery link adds another layer of security to the design since the user will have to login to his/her email system separately.
The system should generate a random token url when the user requests a password reset link. This url should be stored along with the time it was generated and with a flag of whether it has been used already. The url should then be sent to the email address of the user on record. When the user accesses the link, the system should check for three things:
- Has this link been accessed before? If yes, the link should expire and not work anymore.
- There should be a time limit for the link to expire. If the user accesses it after the link expires, he/she should be redirected to request a new password link (after entering their username, of course). The time limit should be based on your requirements, though 2 hours is a good figure to start with.
- The system should ask the user to also type in their username. This will make sure that if the email was intercepted, the infiltrator would also need to know the username to reset the password.
Of course when the user enters a new password, it should be validated against the requirements of the system – 8 or more characters should be standard. Remember, longer passwords are more secure than complex, shorter passwords.