Password Reset Requests

Recently Viewed...

To help you navigate to pages you most recently visited, select from the links below.

Overview on Installing Sharepoint 2007

Product Forums

Programming Tips - Application Error Handling

SharePoint Blog & Wiki Web Parts

Overview of Microsoft SharePoint Server 2007

Sharepoint Forums

Search Engine Ranking

Upgrade DotNetNuke 3.x to 4.x

Backup & Restore Databases using MSDE

Securing your Source Code

SnowCovered Top Sellers

XMod 5.1

Version 5 of the perennial best-selling tool for creating data-based solutions in DNN without custom programming. This version focuses on greater flexibility, expandability, and ease-of-use.

Live Content v1.6 :: Web 2.0

Live Content uses Web 2.0 approach to provide a Rich User Interface and streamlines content presentation by overlaying content on current page. Overlay images, videos, audio, text/html content, flash, dotnetnuke modules, and external content. Experience the demo...

Ultra Video Gallery 2.4

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to add videos in various format and automatically convert them to flv format, you also can add videos from embed code and play them in our integrated flash video player.

Open-DocumentLibrary v3.0

Powerful, Ajax Enabled, Easy to Use. Document Management has never been better. Open-DocumentLibrary allows DotNetNuke users to share and manage documents in a flexible, intelligent way, offering granular control over Folder and Document access.

Opt In Email 4.0

'Relationship Building' and 'Communication' are two essential nuts and bolts for a business to prosper. This module allows you to bridge both of these and easily generate continuous awareness of your web site, products and services. Your prospects and customers will greatly appreciate this featur

Dynamic Forms 2.7

In this day and age, knowing as much detailed information as possible about your customer, prospect or web site user is essential. Thankfully, the new 'Dynamics Forms' module from Data Springs, makes it easier than ever to segment your data collection efforts.

Data Springs Collection 2.0 (20+ Modules)

Capture your users attention, enrich your site with multimedia flash, and create and opt in distribution list for your DNN site. These are just a few of the many features the Data Springs Module Collection can provide you.

Ultra Media Gallery 5.4

Ultra Media Gallery is the most popular photo gallery and media gallery solution for DotNetNuke, UMG offers 10 different flash player to browse your gallery with completely different user interface experience.

Catalyst By DrNuke

The Catalyst skins are professionally designed, coded and packaged by a team of DotNetNuke experts. The skins are available in 12 great colours. This skin is easily customisable with our unique DrNuke EasyMod technology. Try our demo!

Minimalist by Evan O'Neil - ALL NEW !

ALL NEW ! - Minimalist includes skin packs in 12 great colors. Each color has Flat, Gradient and Glass versions. Feature rich XML Flash header, perfect for just about any purpose. 9 Different menu options in each skin pack; 3 horizontal menus, 3 vertical menus and 3 all-new Twin level menus . . .

Secure Programming Tips - Password Reset Requests

Week 5: Reset Password Requests

Week 5: Forgotten Password Requests

As developers, it’s important for us to create user friendly applications. User friendly applications are those that are intuitive to an end user, as well as those that provide functionality for a user to address any issues the might arise while using it. A common issue that can arise is when an end user has forgotten their password. This can be very frustrating for a user, and often requires the end user to call a helpdesk for assistance in resetting the password. This can often result in a loss of productivity for the end user. So what can developers do to alleviate the end user’s frustration? Simple, we can build the functionality into the application itself. It’s fairly simple to create and only requires gathering one or more credentials known only to the end user, such as a username, account number, email address, etc. to verify the person making the password reset request is a valid user of the application.

Figure 1 below shows an example of a reset password request page.

Figure 1

Upon entering the required credentials above, the first step in the process would be to perform some application login on the credentials entered to ensure they are valid. The next step in the process, assuming the credentials supplied above are valid, is to determine how we are going to allow the user to reset their password. One option, albeit the worse possible one, would be to allow the user to create a new password at that time, such as shown in figure 2.

Figure 2

The primary reason the option above is a bad idea is, because if a lockout policy is not enforced, i.e. after a certain number of failed reset password request attempts, this could allow a malicious user to perform a brute-force attack and potentially discover and reset the passwords for valid user accounts, thus causing an application level DoS (Denial of Service) on the applications user base.

Another, more widely used option, is to send an email to the user’s email address containing a temporary password that would allow the user to login and then change their password to something more permanent. However, this option as well has security issues associated with it. The first issue is obviously the assumption that the user’s email address is only accessible to the user and not by any other person. The second issue, which happens quite often, is the email contains more information then it should, as seen in Figure 3.

Figure 3

As we can see in Figure 3 above, not only did the application send the new password, in clear text, but it also send additional credentials associated with the user’s account, including the user’s username, account number and the link to login with the new credentials. If the user’s email address was accessible by someone else, this email provides everything they would need to compromise and control the user’s account.

Realistically, if you are going to use an email exchange in order to allow the user to reset a forgotten password. The most secure manner is to provide a link containing a globally unique identifier (GUID) as a security token representing a one-time request. This link and associated security token should only be accessible for no more than 30 minutes. This will reduce the risk of the account being compromised in the event someone else has access to the user’s email account. Figure 4 is an example of a password reset email containing a secure link to change the user’s password.

Figure 4

As we’ve seen from the examples provided in this article, there are good ways and bad ways to allow a user to reset their password. Obviously, we don’t want to do all the actions at once, unless a lockout policy is in place. When using the user’s email address to communicate the password reset process, we obviously do not want to send all of the user’s credentials, nor do we want to send anything in clear text. The best recommendation, in lieu of a phone call to the help desk, is to provide the user with a secure link that is only accessible for a limited time frame, thus reducing the risk of the user’s account being compromised.

Feedback Comments

Records per Page

Page 1 of 1

First Previous Next Last

Feedback

Email:

Name:

Subject:

Message:

Security Code

Enter the code shown above in the box below

Send

DNN Modules

Back on Track

Dynamic Forms

Dynamic Login

Dynamic Registration

Dynamic Tags

Dynamic User Directory

Flash Contacts

Flash Info Cube

Flash Image Rotator

Flash News Ticker

Info Pics

Interactive User Import

Page Tags

News Ticker

Opt In Email

Presentation Archive

Quick Poll

Quote Creator

Random Rounded Images

Real Estate

Stock Quote Module

Testimonials

Tailored Text / HTML

SharePoint Web Parts

Flash Image Rotator Web Part for SharePoint 2007

Who would have thought? Flash with Sharepoint! The FIRST and ONLY flash rotation web part for Sharepoint. The Flash Image Rotator displays selected images and then rotates between the images. Several extended and optional features allow you to select the time to rotate each image, fade between i...more

Price:

$129.99

Flash News Ticker Web Part for SharePoint 2007

Provide current news items with a user-friendly news ticker for your Sharepoint Portal. With millions of web sites offering information you need a fun way to display information and the solution is Flash News Ticker....more

Price:

$139.99

Stock Quote Web Part for SharePoint 2007

Giving your site visitors relevant information is critical. With the Data Springs Stock Web Part you can provide your users with up to date financial information....more

Price:

$149.99

Random Image Web Part for SharePoint 2007

With Random Image for Sharepoint 2007, you can select multiple images to display randomly when the web part loads...

Price:

$139.99

MOSS Charts Web Part for SharePoint 2007

The MOSS Chart Web Part is a web part built by Data Springs for the purpose of rendering several chart types based on data from a SharePoint list on a MOSS 2007 or WSS 3.0 Site ... more

Price:

$269.99