Created
April 13, 2017 08:56
-
-
Save simonamor/16b3c3c0ac24f57efe2dcc898a6d1124 to your computer and use it in GitHub Desktop.
Login and Password reset notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rate limit login attempts - after 3 failures, include a captcha | |
| When prompting for the username/email address, provide the same response if the username exists as if it doesn't exist. "An email has been sent to x---@y----.--- with instructions" This prevents username enumeration. | |
| Token generation - create a token, send it by email and store a HASHED version of the token (plain SHA-2 is sufficient) in the database. | |
| Token should expire within 2 hours, perhaps only 30 minutes. | |
| The email should include: | |
| - a link to the password reset page to get a new token if the old one has expired | |
| - the requestors IP address | |
| - optionally a "this wasn't me" link to invalidate the token immediately | |
| Store the token provided in the URL into the session and then instantly redirect to the password reset page to avoid leaking the token to a third-party via the referrer header on other assets such as those from a CDN. | |
| On successful reset: | |
| - clear all sessions for that user | |
| - confirm the password reset by email but DON'T include the new password in the email! | |
| - optionally, invalidate the current session and make the user login again with their freshly changed password |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Info from (among others):
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
https://www.troyhunt.com/everything-you-ever-wanted-to-know/
https://postmarkapp.com/guides/password-reset-email-best-practices