Careful not to innovate yourself a new security hole

A friend sent this link today: The author of the article describes the password reset method as the best he as ever seen. I like the fact that the developer was thinking outside of the box and trying to come up with new innovative ways of resetting passwords but I personally think this one needs to be revisited ASAP.

As Aral described in his post, the method requires that you click the "Forgot Password" link, enter your email address and new password then wait on a link to be emailed to you. When you click the link, your password is reset automatically. You aren't logged in, the password is just changed.

My problem with this is that when most people see an email from a trusted site that contains links, they tend to click those links. So, in this case, if I knew your email address, I could have a reset link sent to you. If you clicked that link, your password would be changed to the password that I defined. Basically, this would lock you out of your account until you reset the password again. If I managed to log in to the account before you were able to reset the password (or before you even realized you needed to), I could change the email address. Once that has been done, you no longer have access to your account or a means of regaining that access. Essentially, all your account r belong to me :-)

If you have ever used the forgot password feature on this site, you have seen my favorite method. I won't claim it is the best because I think each feature needs to fit it's application but I will claim it is the easiest method I've used.

When you use the forgot password feature on, you just enter your email address. The link you receive in your email address logs you into your account and immediately takes you to your profile page. From there, you can change your password with a normal profile update. Simple, quick and easy.

Most Recent Photos