Implement password recovery best practice

Question

I want to to implement password recovery in my web application.

I\'d like to avoid using secret questions.

I could just send the password by e-mail but I thi

Answer 1

Here's how I resolved it:

I added retrieve_token and retrieve_expiration fields to my 'users' table.

The user requests a password reset by providing their email and filling out captcha. A random hashed value is generated for their retrieve_token field - i.e. md5($user_id.time()), while retrieve_expiration will be set to a datetime that expires in next 45 minutes. Email is sent out to the user with a link:

https://example.com/reset-password?retrieve_token=912ec803b2ce49e4a541068d495ab570

SSL should be mandatory when authentication is required. You can also add a table for logging reset requests that stores email and the IP address. It helps track down possible brute attacks and you can block attacker's IP if necessary.

You could implement security question for requesting password reset, but I feel captcha would be enough to discourage anyone from repeating the request multiple times.