1

Links that expire can be found anywhere from Email Verification to Password Reset procedures, I understand in most cases this is considered "security theater", but wanted to know what a viable time-frame is for a link to be valid?

Is 10-15 minutes acceptable? With all the unknown factors of email delays etc?

Is a shorter duration considered more secure? Thanks.

bfritz
  • 111
  • 3
  • In my experience 24-hours is more command that 10-15 minutes, for exactly the reason you say – paj28 Sep 25 '15 at 08:42
  • 1
    I think that this question is impossible to answer without understanding the security requirements of the entire system and what functionality the links provide. Perhaps if you reword it to something like "What are the factors to consider when determining how long the delay should be?" you would get more help. – Neil Smithline Sep 25 '15 at 16:11
  • @NeilSmithline how about the functionality mentioned above "Email Verification and Password Reset" scenarios, and also the site does have personal "sensitive" information. And you are correct, I do want to know the factors to consider as I already know a few which make that timeframe nearly impossible. – bfritz Sep 25 '15 at 21:08
  • [Password rest - web services best practices](http://security.stackexchange.com/a/18302/52676) is a useful related answer. But not an answer to your question. – RoraΖ Oct 01 '15 at 11:35

1 Answers1

1

IMHO 10-15m is too short for almost all cases.
It practically excludes almost all delayed deliveries e.g. due to

  • greylisting (quite widespread anti-spam technique)
  • temparary overloads or temporary network problems

RFC1123/5.3.1 recomends delivery retries no more often than 30 minutes.
Anyway very short timeout (2-5 minutes) may make some sense in higher security procedures.

Community
  • 1
AnFi
  • 223
  • 1
  • 4