View Full Version : Forgotten password security

03-11-2008, 12:56 PM
What would be the security advantage in sending an email with a link to click on to request a new password over just sending them an email with their password upon submitting a form with their email address?

03-11-2008, 03:50 PM
You want to minimize exposure to the password. Sending it through an email in plain view could allow it to be seen bu others in physical line of sight as well as others who might intercept or gain access to the emails besides the owner of that email. Then you might ask if they can intercept or gain access to the email then why would sending a link be any better. The link you send should only allow access once and should expire after a short amount of time if not clicked on. Sending a password in an email will still be visible in the email unless they delete it completely and that password will still give them access unless of course it was a temporary password and you require them to change it upon logging in.

03-11-2008, 04:01 PM
Always a pleasure Spookster!!

Thats added to my arsenal of knowledge

03-12-2008, 02:11 AM
You shouldn't be storing their password in clear test in your database anyways. You should be storing the hash of their password. Popular hashes are MD5 or SHA1. And of course if you are doing that you can't send them their original password back to them.

Then if they forget the password, you can do what Spookster suggested and send them a link.

03-12-2008, 09:55 AM
Yeah thats what I'm doing the now thanks.