Comments on: “Forgot password” UI Pattern

By: Jason Judge

Jason Judge — Wed, 26 Oct 2011 17:04:13 +0000

Hamish – I was thinking this exact same thing – the password must not be changed immediately on a single click from the email, because it is all too easy for it to be clicked without thinking.

If the email link instead takes the user to a page where they need to re-enter the password they have chosen, just once, then that will prevent any accidental changing of their password.

It also means the password entered in the very first form does not need to be stored in any retrievable form – it can be [one-way] hashed and compared against the “confirmation page” password that is entered. It is that final password entered by the user that is sent for storage.

In my particular application, the passwords are stored in an offline CRM. The website sends the plain text passwords to the CRM (over an encrypted connection) and the website has no involvement in the way that password is hashed within the CRM. This means I can’t hash the password into its final form when the user first requests a password change.

I like this approach.

– Jason

By: Charles Waggoner

Charles Waggoner — Fri, 26 Aug 2011 19:22:30 +0000

I have a document that I downloaded in 2008 I don’t remember ever using a password on the free reader program. When I try to open the 3 year old document a password is called for. What can I do?

By: Prakash

Prakash — Mon, 09 Aug 2010 18:23:15 +0000

Aral, we’ve been using the same password-reset pattern as Amiando for some time, and we’ve found it works well. We use a similar pattern for new account sign up on Hashwork. Sign up form is right on home page, you enter your email and pick a password, then you get a link which verifies, and signs you in.

By: Bryan Rice

Bryan Rice — Mon, 19 Jul 2010 18:54:58 +0000

Getting the user to re-enter the password after they click on the confirmation link before the new password is made official seems to be a way to add one more level of security to this pattern by proving you know the new password. It would deal with the issue of someone blindly clicking a link from the new source.

By: peter

peter — Tue, 06 Jul 2010 23:04:06 +0000

The form says my password will be emailed to me. If this is true, it is worth noting. Having a fresh password emailed in plain text should certainly qualify as one more caveat.

By: Yanay Zohar

Yanay Zohar — Thu, 01 Jul 2010 14:41:59 +0000

Smart & simple.
Made my day! :-)

By: Connor

Connor — Mon, 28 Jun 2010 13:32:59 +0000

Ohhh! i didn’t read the verification part. That’s actually really sweet!

By: Connor

Connor — Mon, 28 Jun 2010 13:30:39 +0000

What happens when someone get a hold of an email that isn’t theirs, resets the password, logs in becuase they now know the username and password and then change the email associated with the account and the password. The original owner if completely locked out.

By: BobbyH

BobbyH — Tue, 15 Jun 2010 23:18:11 +0000

I’m all for innovative ideas. They keep us from getting into a stale groove. However, unless you have left out a step, I think this idea needs a serious revisit for the obvious security issue.

Scenario: If I know your email address and initiate the password reset with a password of my choosing, all I need you to do is click a link. If I login and change your email address before you realize what happened and change the password again, I would own your account.

You can see my latest implementation of a password reset feature here: http://acoderslife.com/index.cfm/blog/Careful-not-to-innovate-yourself-a-new-security-hole

Basically, it just sends you a link that logs you in. From there, you can just update your profile with a new password.

Of course, I am on the inside looking out on this one so feel free to scrutinize :-)

By: axel

axel — Tue, 15 Jun 2010 22:07:52 +0000

your suggestion has a security problem, if I write a script that automatically fills out the form with “guessed” email adresses (generated from adress lists etc.) and a my password, I’m sure there will be a small percentage of email recipients confirming the link not knowing what exactly they are going to do there. after a couple of hours my script could easily break those confirmed accounts using my password…