👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • Password reset based on a URL token
  • Password reset based on a one-time password
  • Password reset based on a time-based one-time password
  • References
  1. Web Application
  2. Authentication

Password Reset

PreviousPassword PolicyNextPassword Storage

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of password reset functionality.

General

  • Implement a password reset in one of the following ways:

  • During password reset do not indicate if a user with entered data exists or not. Ask for a username/email address/phone number/etc. and inform the a that if there is a user with the data entered, reset recommendations will be sent to them via the appropriate communication channel.

  • Only block an old password after a user has successfully passed the password reset step.

  • Do not automatically sign a user in. Once a user sets their new password, log out a user and send them to a usual login mechanism (with multi-factor authentication, if enabled).

  • Terminate all active sessions after the password reset. You can explicitly ask a user if they want to invalidate all of their existing sessions.

  • During password reset, request at least the following data:

    • New password.

    • Confirmation of the new password.

  • Link a random token (or one-time password) to an individual user in a database.

  • Do not reveal a current password in any way during the password reset.

  • Do not reveal a random token (or one-time password) in any way during the password reset.

  • Implement a password reset in the following way:

Password reset based on a URL token

  • Send a password reset URL to a user and pass a random token in the query string of the URL. For example:

    https://website.local/account/password/reset?token=GiOzXAwlZ17NsW4CkVV8MQXtiQN9cWiY
  • Use random tokens of length 32+ bytes.

  • Set a short expiration time for a random token (~ 24 hours).

  • Use a random token once. Delete a random token or transfer it to a final status that prohibits reusing.

Password reset based on a one-time password

  • Send a one-time password to a user for confirmation of the password reset.

Password reset based on a time-based one-time password

  • Use a time-based one-time password generated on the user side for confirmation of the password reset.

References

Log successful and failed password reset attempts, see the page.

Comply with requirements from the page.

Generate a random token using a cryptographically strong random generator, see the page.

Do not rely on the Host HTTP header while creating the reset URLs to avoid the attack. Either hardcode the URL or validate against a list of trusted domains using an allow list.

Add the HTTP header with the noreferrer value to the reset password page in order to avoid .

Comply with the requirements from the page.

Comply with the requirements from the page.

Logging and Monitoring
Error and Exception Handling
Cryptography: Random Generators
Host Header Injection
Referrer-Policy
referrer leakage
Authentication: One Time Password (OTP)
Authentication: One Time Password (OTP)
OWASP Cheat Sheet Series: Forgot Password Cheat Sheet
Password reset based on a URL token
Password reset based on a one-time password
Password reset based on a time-based one-time password