As part of one of my academic projects, I did a bit of research on password reset functionality of about a dozen major websites. It was interesting to note that each and every website had implemented it in a different manner. So much difference in the process and the lack of a standard procedure was shocking, though understandable. It was interesting to brainstorm and discuss about the rationale behind each of the password reset process and the User Experience decisions involved.
I also noticed a frighteningly large number of small websites that get 'password reset' absolutely wrong, compromising their users' accounts. It is something that is very difficult to get right, unless thought through completely before implementation. Whenever I signup for a new user account on a fairly new website, I try to use a dummy throwaway password on the first attempt and then try the password reset option to see if the website is actually serious about security. It is like a litmus test for me to decide about continuing to use the website and trusting them with more of my data.
Can you give some examples of what you'd consider red flags in a site's password reset procedure? I'd be really curious; this is an area that I've thought about as a "necessary but horrible-for-security thing".
A few examples of unacceptable practices followed by certain websites include:
- Sending your password to your email in plain text.
- Allowing user to set new password just by answering simple personal details like DOB, Zip code etc which might be known to a number of your friends and family members.
Often it is simple enough to implement a password reset functionality with a reset-link that contains a GUID which expires after a certain period of time. It could be more secure, but is a tradeoff between providing greater security and a longer reset process.
One of the major risks of websites with very naive reset procedures is that many people use the same password with multiple websites. So if a user's password gets compromised on a site, then the attacker can easily try those passwords with other services and gain easy access to user data.
Only if the send you your old password. If they reset your password, they can send you the plaintext first, then hash the password and store it in the database.
No. The problem is that email isn't encrypted on the backend. Sending a plain text password means every server between the website's SMTP server and your email provider's SMTP server can see the password.
a) Work once. If you click on a password reset link and it says it's already been used, you know something is up, v.s. someone using the plaintext password to log in before you and you are non the wiser.
b) Expire. Lot's of people won't bother changing the password that was given to them, so anyone who comes across a plaintext password in the email at a later date would be able to log in.
Temporary plaintext passwords are rare; I don't think I've ever seen one. If you've got as far as temporary plaintext passwords, I'd argue it's a better UX to provide a simple link instead of forcing them to copy and paste something.
I also noticed a frighteningly large number of small websites that get 'password reset' absolutely wrong, compromising their users' accounts. It is something that is very difficult to get right, unless thought through completely before implementation. Whenever I signup for a new user account on a fairly new website, I try to use a dummy throwaway password on the first attempt and then try the password reset option to see if the website is actually serious about security. It is like a litmus test for me to decide about continuing to use the website and trusting them with more of my data.