Password reset by email

[alichtman]

"Help, I forgot my password."

Most websites use an email loop to authenticate users who have forgotten their password.

To do this, generate a random single-use token that is strongly tied to the account. Include it in a password reset link sent to the user's email address. When the user clicks a password reset link containing a valid token, prompt them for a new password. Be sure that the token is strongly tied to the user account so that an attacker can't use a token sent to his own email address to reset a different user's password.

The token should expire in 24 hours after it's created OR when it's used.

Expire any existing password tokens when the user logs in (if they remembered their password) or requests another reset token.

Attackers will be able to modify the tokens, so don't store the user account information or timeout information in them. They should be an unpredictable random binary blob used only to identify a record in a database table.

Remember to pick a new random salt when the user resets their password. Don't re-use the one that was used to hash their old password.

[alichtman]

Using Facebook Authentication