Which is harder to exploit: Password reset link with tokens/timestamps/code/ticket etc Or, temporary password sent on user mail using which login can be done and password can be changed.
Any suggestions on how they can be exploited please?
Asked
Active
Viewed 692 times
2
-
I think the reset link is more convenient, but possibly adds one attack vector... intercepting the reset pass when navigating via the link. The standard kinds of phishing/cross-site attacks apply to both. – pcalkins Mar 02 '20 at 21:08
-
It could be considered a DoS if a user password can be changed without the user first clicking a link in an email to do so. – multithr3at3d Mar 03 '20 at 12:12
-
Just remember to not set the temporary password right away, let the user verify the reset procedure first. – Batuhan Apr 01 '20 at 07:56
2 Answers
1
I an not sure how to directly exploit the Password reset links but the link pattern can be definitely used for Phishing campaigns. However for temporary passwords I feel that their strength depends on how guessable they are and how strong the password generating algorithm is. If they are random like OTP, there might be issue of randomness.
Ab1010
- 11
- 1
1
Receiving a plain text password (That the user must change upon login) and receive a link with a token it's the same, as long as they meet security policies that are not attached to any type by its own. Some good policies are:
- Time based expiration of the temporary password or token.
- Complex and random generated passwords/token (Not guessable, based on user's data)
- Generating the new password sent by email should not invalidate the current user's password, since as pointed out by user multithr3at3d, it would cause a DoS to a legitimate user if the request would have been executed by an unauthorized person.
MoralMente
- 87
- 3