Difference between revisions of "Password reset strategy"
From DarkWiki
(→Password reset URL) |
(→Password reset URL) |
||
| Line 49: | Line 49: | ||
* ''timestamp'' is the time that the password reset was requested. | * ''timestamp'' is the time that the password reset was requested. | ||
* ''hmac'' is the [https://en.wikipedia.org/wiki/Hash-based_message_authentication_code HMAC] which encodes the other two variables, thus preventing their alteration. | * ''hmac'' is the [https://en.wikipedia.org/wiki/Hash-based_message_authentication_code HMAC] which encodes the other two variables, thus preventing their alteration. | ||
| + | |||
| + | ==Email content== | ||
| + | |||
| + | The actual email should include minimal personal information, but should clearly indicate the origin of both the email and the IP of the resetter. | ||
| + | |||
| + | <pre> | ||
| + | Subject: Rabora password reset link | ||
| + | |||
| + | At 16:00 on Thursday 10th August 2017, someone from 10.11.12.13 (some.hostname.com) asked to reset your password. | ||
| + | |||
| + | To reset your password, please click here: | ||
| + | |||
| + | https://auth.rabora.com/security/resetPassword/8a8e70d0-9055-486a-9892-06a2accdcfe2/ | ||
| + | |||
| + | </pre> | ||
Revision as of 15:03, 10 August 2017
Contents
Introduction
As part of standard operating procedure, the system needs to help users who have forgotten their password or user id in a simple and secure fashion, without any interaction of support staff.
Common attack vectors
- Password resets issued by hacker.
- Forged mails with reset links in.
Aims
- Users do not like automatically generated passwords
- Sending a new password or a one-time password/code in an email is insecure
- The password reset link inside the email will only be used:
- For a short period of time (e.g. 48 hours)
- Until such time as the password has been reset
- The password reset link will be secure, and any modification must be detectable
- The user's mailbox may be compromised in the future; the link must not be modifiable (e.g. by changing the username, timestamp etc)
Process
There are two possible initiators:
- The user has forgotten their user name, or
- The user has forgotten their password.
We do not need to care about which piece of information they have forgotten. We will use their registered email address to send them a link allowing them to set their password.
- User clicks "I've forgotten my password"
- The user is prompted for their email address.
- A password-reset URL is generated.
- The URL is emailed to the user's mailbox.
- The user clicks the link
- The URL is validated by the server
- The user is presented with the customary two-password-boxes
- The new password is saved
Password reset URL
The password URL comprises the following information:
<scheme>://<host>/security/resetPassword/<userId>/<timestamp>/<hmac>
Where:
- userId is the UUID associated with the user's account - it is not the username used to login.
- timestamp is the time that the password reset was requested.
- hmac is the HMAC which encodes the other two variables, thus preventing their alteration.
Email content
The actual email should include minimal personal information, but should clearly indicate the origin of both the email and the IP of the resetter.
Subject: Rabora password reset link At 16:00 on Thursday 10th August 2017, someone from 10.11.12.13 (some.hostname.com) asked to reset your password. To reset your password, please click here: https://auth.rabora.com/security/resetPassword/8a8e70d0-9055-486a-9892-06a2accdcfe2/
