Password reset strategy

From DarkWiki
Revision as of 14:46, 10 August 2017 by Apowney (talk | contribs) (Process)
Jump to: navigation, search

Introduction

As part of standard operating procedure, the system needs to help users who have forgotten their password or user id in a simple and secure fashion, without any interaction of support staff.

Process

There are two possible initiators:

  • The user has forgotten their user name, or
  • The user has forgotten their password.

We do not need to care about which piece of information they have forgotten. We will use their registered email address to send them a link allowing them to set their password.

  • Users do not like automatically generated passwords
  • Sending a new password or a one-time password in an email is insecure
  • The password reset link inside the email will only be used:
    • For a short period of time (e.g. 48 hours)
    • Until such time as the password has been reset
  • The password reset link will be secure, and any modification must be detectable
    • The user's mailbox may be compromised in the future; the link must not be modifiable (e.g. by changing the username, timestamp etc)
Retrieved from ‘http://wiki.darkmine.org/index.php?title=Password_reset_strategy&oldid=246