Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>About password reset:</p> <p>The practice of doing this by sending an email to the user's registered email address is, while very common in practice, not good security. Doing this fully outsources your application security to the user's email provider. It does not matter how long passwords you require and whatever clever password hashing you use. I will be able to get into your site by reading the email sent out to the user, given that I have access to the email account or am able to read the unencrypted email anywhere on its way to the user (think: evil sysadmins).</p> <p>This might or might not be important depending on the security requirements of the site in question, but I, as a user of the site, would at least want to be able to disable such a password reset function since I consider it unsafe.</p> <p>I found <a href="http://www.fishnetsecurity.com/sites/default/files/media/10WP0003_BestPractices_SecureForgotPassword%5B1%5D_0.pdf" rel="nofollow noreferrer">this white paper</a> that discusses the topic.</p> <p>The short version of how to do it in a secure way:</p> <ol> <li><p>Require hard facts about the account</p> <ol> <li>username.</li> <li>email address.</li> <li>10 digit account number or other information like social security number.</li> </ol></li> <li><p>Require that the user answers at least three predefined questions (predefined by you, don't let the user create his own questions) that can not be trivial. Like "What's your favorite vacation spot", not "What's your favorite color".</p></li> <li><p>Optionally: Send a confirmation code to a predefined email address or cell number (SMS) that the user has to input.</p></li> <li><p>Allow the user to input a new password.</p></li> </ol>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload