Revision as of 22:48, 1 March 2011

1 Introduction
2 The Problem
3 Steps
4 Related Articles
5 Authors and Primary Editors

Introduction

This article provides a simple model to follow when implementing a "forgot password" web application feature.

The Problem

There is no industry standard for implementing the "Forgot Password' featyre. The result is that users could be forced to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on. In some applications you can recover your existing password. In others you have to reset it to a new value.

The recommendations presented for implementing "Forgot Password" are most appropriate for organizations that have a business relationship with users. Web applications that target the general public (social networking, free email sites, etc.) are fundamentally different and some concepts presented may not be feasible in those situations.

Steps

1) Gather Identity Data

The first page of a secure forgot password feature asks the user for multiple pieces of hard data. A single HTML form should be used for all of the inputs.

A minimum of three inputs is recommended, but the more you require, the more secure it will be. One of the inputs, preferably listed first, should be the username. Others can be selected depending on the nature of the data available to the application. Examples include:

email address
last name
date of birth
account number
customer number
social security number
zip code for address on file
street number for address on file

2) Verify Security Questions

3) Send a Token Over a Side-Channel

4) Allow user to change password

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

Authors and Primary Editors

David Furgeson - David.Ferguson[at]fishnetsecurity.com
Jim Manico - jim[at]owasp.org

@@ Line 12: / Line 12: @@
 == 1) Gather Identity Data ==
+The first page of a secure forgot password feature asks the user for multiple pieces of hard data. A single HTML form should be used for all of the inputs.
+A minimum of three inputs is recommended, but the more you require, the more secure it will be. One of the inputs, preferably listed first, should be the username. Others can be selected depending on the nature of the data available to the application. Examples include:
+* email address
+* last name
+* date of birth
+* account number
+* customer number
+* social security number
+* zip code for address on file
+* street number for address on file
 == 2) Verify Security Questions ==

Difference between revisions of "Forgot Password Cheat Sheet"

Revision as of 22:48, 1 March 2011

Introduction

The Problem

Steps

1) Gather Identity Data

2) Verify Security Questions

3) Send a Token Over a Side-Channel

4) Allow user to change password

Related Articles

Authors and Primary Editors

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools