I friend of mine just posted on Buzz a question:
When you hit "Forgot your password" in most of the pages, they will send you an email with a link (most of the time it will expire after sometime) to reset your pass. In most cases that link includes something like a UUID. Is there a name for this technique? Making an expirable url / link? The way I will do this is just generating a UUID, or something simpler and doing all the expire stuff programmatically. I'm wondering if there is a name for this kind of technique?
After reading his question, I'm now curious about the s开发者_StackOverflowame, this technique already got a name, or better, it's already considered as a pattern for the global community?
You can call this Self-service password reset with authentication token.
Resources :
- www.goodsecurityquestions.com
I believe the name of the UI pattern is "Password reset pattern" or "Forgot password pattern".
One of the worst implementations is where you answer a "security" question to reset your password because they are really insecure, as the link pointed by Colin Hebert says.
One of the best implementations is Amiando's asking for user e-mail address and new password and then sending confirmation via email to confirm new password. More info on this blog.
It is very important that the user confirms his identity via email or other personal medium like SMS on cellphone (less common).
Other examples of implementations of this pattern here.
This is the basic pattern I'm going with in my application:
- User enters username or email and clicks "Reset password"
- One-time token url emailed to that user (this can expire after a few hours).
- User must click on link in email.
- User is then emailed a randomly generated password upon confirmation
They can then login with this password or change it once they login (optional)
I think this is best from a security perspective as well as easy to use for the end user.
精彩评论