Password reset strategy

Introduction

As part of standard operating procedure, the system needs to help users who have forgotten their password or user id in a simple and secure fashion, without any interaction of support staff.

Common attack vectors

• Password resets issued by hacker.
• Forged mails with reset links in.

Aims

• Users do not like automatically generated passwords
• Sending a new password or a one-time password/code in an email is insecure
• The password reset link inside the email will only be used:
  • For a short period of time (e.g. 48 hours)
  • Until such time as the password has been reset
• The password reset link will be secure, and any modification must be detectable
  • The user's mailbox may be compromised in the future; the link must not be modifiable (e.g. by changing the username, timestamp etc)

Process

There are two possible initiators:

• The user has forgotten their user name, or
• The user has forgotten their password.

We do not need to care about which piece of information they have forgotten. We will use their registered email address to send them a link allowing them to set their password.

• User clicks "I've forgotten my password"
• The user is prompted for their email address.
• A password-reset URL is generated.
• The URL is emailed to the user's mailbox.
• The user clicks the link
• The URL is validated by the server
• The user is presented with the customary two-password-boxes
• The new password is saved

Password reset URL

The password URL comprises the following information:

  <scheme>://<host>/security/resetPassword/<userId>/<timestamp>/<hmac>

Where:

• userId is the UUID associated with the user's account - it is not the username used to login.
• timestamp is the time that the password reset was requested.
• hmac is the HMAC encoding the other two variables, thus preventing their alteration.