Implement password recovery best practice

Question

I want to to implement password recovery in my web application.

I\'d like to avoid using secret questions.

I could just send the password by e-mail but I thi

Answer 1

I don't unnderstand the attitude towards the secret question method. It's not like I am going to make my password "BlueHouse" and then make my security question "What are your two favorite things?" and the answer "Blue and Houses". The security question is not the magic key to get the actual password. It's usually a way to get a new password sent to the email address on file. I don't know how else you guys do it, but it sounds like you do one of two things.

1) The user clicks a "I forgot my password" button and the new password is sent to the user.

2) The user clicks a "I forgot my password" button and then has to answer a security question before getting the new password emailed to the address on file.

Seems to me that option number 2 is more secure.

Why is sending a token any more secure than sending the password? If an email account has been hacked, it's been hacked. It doesn't matter if there is a link to reset the password, a token, or a new password. Don't forget, most sites don't say "The new password has been sent to the following email address for you to hack into". A hacker would need to guess the email address that needs to be hacked.