Questions tagged [password-reset]
How to let users reset their passwords in a safe manner.
154 questions
2votes
0answers
49views
Why can't a Cognito user in the FORCE_CHANGE_PASSWORD state go through the forgot password flow?
If an AWS Cognito User Pool user is in the FORCE_CHANGE_PASSWORD state, they won't be able to go through the "forgot your password" flow to get a password-reset confirmation code. Why not? ...
- 121
0votes
1answer
128views
Best Practices for WebAuthn FIDO2 reset
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice. The authentication mechanisms My idea is to encourage the users to use the following two login methods:...
0votes
1answer
133views
Strange way of handling forgotten password
I was about to signup for ebanking solution, but then noticed their instructions for forgotten password are: Create a new account. So there's no option to reset your password, just a suggestion to ...
- 103
2votes
1answer
95views
Is local password recovery for each device a viable security approach?
I'm developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering ...
4votes
1answer
150views
Is there a problem allowing two accounts to have the same recovery email?
It is a security problem to allow that two different user accounts have the same email address? If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email ...
- 41
2votes
0answers
706views
Repeated passwordless login links from linkedin
In the past few weeks I've seen periodic attempts of someone logging in to my linkedin accounts. They appear to use some sort of one time login link feature that linkedin has, which allows ...
- 143
1vote
2answers
505views
Is it bad practice to prompt users to reset password when there is no evidence of a breach?
I have received many security emails from LinkedIn over the past few weeks. An example is shown below (redaction mine) I do not live in the USA and I did not try to access LinkedIn at the times these ...
- 121
3votes
1answer
486views
Should newly password links reset old ones? if so, why?
I have noticed on most websites that all previous password reset links are automatically expired when a new one is requested. Why is this so common and what are some possible consequences if this isn'...
- 285
8votes
3answers
6kviews
Pros & cons of including requesting IP address in password reset emails?
It has crossed my mind to include the requesting IP address in password reset emails. The intention being that if someone is receiving unexpected reset emails, this allows them to do a basic level of ...
- 34.8k
0votes
0answers
109views
How could one use multi-factor authentication to derive a static secret key?
Scenario: The setup is that each user has a randomly generated key A used for encrypting data stored on the server and a password-derived key B used to store A on the server without the server getting ...
- 807
3votes
4answers
462views
When resetting password after forgetting it, why is there a need to notify "Password cannot be your previous password"?
This is from the perspective of someone who had supposedly forgotten their password. We're doing this project wherein we "secure" an application that was given to us. We added this "...
0votes
1answer
925views
How to generate actually valid NTLM hash for chntpw (for SAM hive file injection)
I am currently working on a solution to at least try to implement a working/modern "change password" option to chntpw. First of all: Windows uses this format in its hive file: root@rescue /...
1vote
2answers
157views
exploiting the scenario and how to generate a secure reset password token
I am using the following line of code to create a reset password code sent to the user in her/his email. when scanned with brakeman to my ruby code, this line of code is catched and describes it as it ...
- 131
1vote
0answers
82views
Pre-Hijacking Mitigation
I want to create a website with password login and social login (e.g. Google only.) For password login, first I will send a verification email. I want to prevent pre-hijacking. For those who do not ...
0votes
1answer
149views
Password reset encryption mechanism based on username [duplicate]
Short I known 0x02135 gets encrypted to -> NzY4MzY5 0x02136 gets encrypted to -> NzcxMzc0 ...etc I want to know 0x02137 will get encrypted to -> ??? (in ...
