Difference between revisions of "Forgot Password Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Authors and Primary Editors)
m
Line 3: Line 3:
 
This article provides a simple model to follow when implementing a "forgot password" web application feature.<br>  
 
This article provides a simple model to follow when implementing a "forgot password" web application feature.<br>  
  
 +
= The Problem =
 +
 +
There is no industry standard for implementing the "Forgot Password' featyre. The result is that users could be forced to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on. In some applications you can recover your existing password. In others you have to reset it to a new value.
 +
 +
The recommendations presented for implementing "Forgot Password" are most appropriate for organizations that have a business relationship with users. Web applications that target the general public (social networking, free email sites, etc.) are fundamentally different and some concepts presented may not be feasible in those situations.
  
 
= Steps  =
 
= Steps  =

Revision as of 17:46, 1 March 2011

Contents

Introduction

This article provides a simple model to follow when implementing a "forgot password" web application feature.

The Problem

There is no industry standard for implementing the "Forgot Password' featyre. The result is that users could be forced to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on. In some applications you can recover your existing password. In others you have to reset it to a new value.

The recommendations presented for implementing "Forgot Password" are most appropriate for organizations that have a business relationship with users. Web applications that target the general public (social networking, free email sites, etc.) are fundamentally different and some concepts presented may not be feasible in those situations.

Steps

1) Gather Identity Data

2) Verify Security Questions

3) Send a Token Over a Side-Channel

4) Allow user to change password

Related Articles

Fishnet Security - Secure Forgot Password

OWASP Cheat Sheets Project Homepage

Developer Cheat Sheets (Builder)

Assessment Cheat Sheets (Breaker)

Mobile Cheat Sheets

OpSec Cheat Sheets (Defender)

Draft Cheat Sheets

Authors and Primary Editors

David Furgeson - David.Ferguson[at]fishnetsecurity.com
Jim Manico - jim[at]owasp.org