|
|
| (41 intermediate revisions by 14 users not shown) |
| Line 1: |
Line 1: |
| − | = Introduction = | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | This article provides a simple model to follow when implementing a "forgot password" web application feature.<br>
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | = The Problem =
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html Forgot Password Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | There is no industry standard for implementing the "Forgot Password' featyre. The result is that users could be forced to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on. In some applications you can recover your existing password. In others you have to reset it to a new value.
| |
| − | | |
| − | The recommendations presented for implementing "Forgot Password" are most appropriate for organizations that have a business relationship with users. Web applications that target the general public (social networking, free email sites, etc.) are fundamentally different and some concepts presented may not be feasible in those situations.
| |
| − | | |
| − | = Steps =
| |
| − | | |
| − | == 1) Gather Identity Data ==
| |
| − | | |
| − | The first page of a secure forgot password feature asks the user for multiple pieces of hard data. A single HTML form should be used for all of the inputs.
| |
| − | | |
| − | A minimum of three inputs is recommended, but the more you require, the more secure it will be. One of the inputs, preferably listed first, should be the username. Others can be selected depending on the nature of the data available to the application. Examples include:
| |
| − | | |
| − | * email address
| |
| − | * last name
| |
| − | * date of birth
| |
| − | * account number
| |
| − | * customer number
| |
| − | * social security number
| |
| − | * zip code for address on file
| |
| − | * street number for address on file
| |
| − | | |
| − | == 2) Verify Security Questions ==
| |
| − | | |
| − | == 3) Send a Token Over a Side-Channel ==
| |
| − | | |
| − | == 4) Allow user to change password ==
| |
| − | | |
| − | = Related Articles =
| |
| − | | |
| − | Fishnet Security - [http://www.fishnetsecurity.com/Resource_/PageResource/White_Papers/FishNetSecurity_SecureForgotPassword.pdf Secure Forgot Password]
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | David Furgeson - David.Ferguson[at]fishnetsecurity.com<br/>
| |
| − | Jim Manico - jim[at]owasp.org
| |
| − | | |
| − | [[Category:Cheatsheets]] [[Category:OWASP_Document]]
| |
Latest revision as of 14:09, 15 July 2019
The Cheat Sheet Series project has been moved to GitHub!
Please visit Forgot Password Cheat Sheet to see the latest version of the cheat sheet.
