03-07-2010, 07:39 PM
I am working on a web site which requests some degree of security. A pair of username and password is requested for authentication. I need to provide some methods in case a user can't remember one or both login information. A user can retrieve his/her username by providing his/her email address in his/her account. That is the system will send you username by email if you can provide your email address. I am wondering how to let a user reset the password. Is a username enough or a pair of username + email address needed for a good balance between security and cconvenience?
03-07-2010, 08:02 PM
What I do on some sites is when a user wants to reset their password they must enter their username or email address. Keeping track of the original email address used to create the account might be a good idea this way any methods of resetting the password are sent only to the email address of the person who created the account in the first place. The user's account could have been hacked at which point the hacker may have changed their preferred email address or something. I don't recommend actually sending them their password in an email. Maybe a link that has a unique code that was generated for them and stored in a db somewhere. Once clicking the link they must again provide their username or email address at which point they should be allowed to reset their password.
03-08-2010, 12:55 AM
Thanks for your inputs, Aerospace Engineer.
Because both username and email address are public accessible information. It is safer to request the both for password reset. Since a password is hashed and salted, it is not retrievable. It shall not be sent to anyone by email.