Password Reset: Email Validation & Security

TL;DR

Asking for a password *after* email validation is bad cyber security practice. It confirms to attackers that the email address exists, making it easier to target your account. Instead, focus on robust password reset flows with strong verification methods.

Why Asking For A Password After Email Validation Is Risky

When you ask for a password immediately after someone enters their email address, you’re essentially telling anyone who tries that the email is registered to an account. This opens up several attack vectors:

• Credential Stuffing: Attackers can use lists of known usernames and passwords (from data breaches elsewhere) and quickly test them against your system.
• Brute-Force Attacks: Even without a list, attackers can try common passwords knowing the email is valid.
• Phishing Confirmation: It confirms to a phisher that they have a legitimate target.

How To Fix It: A Secure Password Reset Flow

Here’s how to implement a much safer password reset process:

1. Initial Email Request

1. Only ask for the email address initially. Do not prompt for any password information at this stage.
2. Generate a unique, time-limited token. This token should be cryptographically secure (e.g., using UUIDs or similar).
3. Store the token securely in your database associated with the user’s email address. Include an expiry timestamp.
4. Send an email containing a link with the token. The link should point to a password reset page on your website. Do not include the token directly in the email body; use it as part of the URL. Example:

   https://yourwebsite.com/reset-password?token=abcdef1234567890

2. Password Reset Page

1. Validate the token: When a user clicks the link, verify that:
   • The token exists in your database.
   • The token hasn’t expired.
   • The token is associated with the correct email address.
2. Present a form to set a new password. This should include standard password strength requirements (length, complexity).
3. Hash and salt the new password securely before storing it in your database. Never store passwords in plain text! Use a strong hashing algorithm like bcrypt or Argon2.

   # Example using Python with bcrypt

   import bcrypt
   password = b'your_new_password'
   hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
   print(hashed_password)

4. Invalidate the token after successful password reset. This prevents reuse of the same token.

3. Additional Security Measures

• Rate Limiting: Limit the number of password reset requests from a single IP address or email address within a specific timeframe to prevent brute-force attacks.
• Two-Factor Authentication (2FA): Encourage users to enable 2FA for an extra layer of security.
• Email Security: Implement SPF, DKIM, and DMARC records to help prevent email spoofing and phishing attempts.
• Account Lockout: Temporarily lock accounts after multiple failed login or password reset attempts.