All geek questions in one place

Reset passwords without sending user email

We need to provide a reset password for users who use our website. A typical way is to send an email to the user and request a reset link.

The problem is that we don’t want to start the mail server just to reset the password. Is there any other smart way to resell a password without sending a user email?

EDIT: This is for users who have forgotten their passwords.

+4
source share
7 answers

You need to somehow verify the user ID so that other people do not reset the password. Perhaps you can get them to ask some questions (for example, the name of the virgin mother, their favorite color) when they register. They can only use the reset password if they answer the questions correctly.

+3
source

You can immediately expire your current password and request that they change it the next time you log in. A couple of passwords to reset the system do this.

EDIT: Since this is for users who have forgotten their password and not forced changes, you should simply take them directly to the link that you would send by email when they forgot your password. Make them enter the email address that they registered and some other details that you can verify with. Basically what the other answers said.

+2
source

I had the same problem with a very strange and demanding client. The site was an intranet company that could be accessed via VPN for remote users. One of the requirements (highlighted in bold):

The password re-entry mechanism should be convenient and not rely on email. Re-defined requests should be provided conveniently and require confirmation that the site trusted the visitor before re-typing the request

What I ended up with was creating a Manderbolt (100x100) for the user being downloaded as his "reinstalled" token, as well as some secret questions that they had to answer. To change their password, they had to answer their questions and upload their fractal (the quadratic plane was determined based on their personal information with simple hashing to avoid collisions).

This satisfied the requirement to reset the password, it had to be based on what they had, and also on what they knew. If they lost a fractal or forgot the answers to their secret questions, they had to personally appear to recover the password.

Not exactly bulletproof, but it was satisfying at that time. The task was to make fractals unique (at least 30 pixels unique), since most users shared a lot of common private data (city, state, area code, etc.).

Edit

The fractal (rather, its one-sided representation) was used in other places. Think RFID + Camera.

+2
source

You can use standard mail to send a new password :-).

Generally, you need to check that the user who is trying to use reset is the one who was originally registered. The easiest way is to send the reset password to the email address used during registration. In addition, you may have some kind of security issue that will allow you to reset the password, but most people will choose something really lame, and you will find yourself on a server where it is quite easy to steal your identity.

+1
source

There must be some class that communicates directly with the remote SMTP server (for example, the ISP SMTP server) using sockets - just find such a class and you won’t have to start the closed SMTP server to send e-mail.

+1
source

Use OpenID . Then it becomes an OpenID service provider problem for recovering user passwords. And your users will be grateful that they don’t need to remember another smelly password.

+1
source

The usual answer to this question will be a security issue. If you do not have an obstacle for the user, you can open the system to allow almost any user to reset the password.

0
source

Source: https://habr.com/ru/post/1307135/

More articles:


All Articles