Secure your Web Application's Reset Password flow

ByKarthik Kumar D Kon22nd Jan 2023, 2023-01-22T08:00:00+05:30
Read Article
Secure your Web Application's Reset Password flow

Generally any application framework provides users to have a flow to reset the passwords by default, It is more like, use clicking on the Reset Password link and redirects to a page where he will asked for email, and reset link sent to users email, so that user can reset the password on their own.

This is a default or general flow that any application framework provides, but developers or architects have to make sure, this flow is more secure than just an email confirmation.

And, in this article we are gonna see certain inputs, which help developers or architects to design and develop a better secured recovery password flow in the web application.

1. Set expiry on reset password link

Make sure the reset password link expires in a certain amount of time, so that the user is entitled to reset the password in that interval of time. And also the link will not be available for users forever to reset the password.

2. Application to identify reset password link

Always make sure the web application will identify the reset password link that is shared to the user. This can be done by adding the token to the reset password link and validating the token with application secure storage, when the user uses the reset password link and resets the password.

3. Password should be set complex

Allow users only to set the complex passwords, don’t allow users to set simple passwords.

  • Alphanumeric Character types (one digit, one letter and one punctuation)
  • Uppercase and Lowercase
  • Length of minimum 8 characters
  • Don’t allow username or email as password.
  • Check history of password (avoid users to set old passwords.
  • Avoid generic passwords (like admin, admin123 etc)

4. User Sessions

During the password reset flow (while the reset is triggered by users), make sure to clear all the sessions of the users from the application, including in other devices.

5. Hash the passwords

Use the latest and most secure encryption algorithm to hash the passwords.

6. Have questions on reset password form

This is quite an extra step, but this can be helpful to make sure the reset password flow is secured with one more step.

7. Logging

Avoid logging the sensitive information related to passwords or password hashes or the input provided by users which is sensitive and can crack the reset password flow.

8. Limit Password retries

This can be applicable in certain cases, but should not be applied for all the cases.

  • Multiple reset password requests from a certain IP, in this case limit the reset of password.
  • Multiple failed login attempts in a short interval of time from different IPs, then avoid this request. Have something like 3 attempts for failed login and should wait for sometime.
  • Also look into the brute force attack to set such a limitation on the password reset workflow.

9. TFA

Having a two factor authentication is one more step of securing the reset password workflow.

10. Captcha

Have Captcha on the reset password form, so that it adds one more step of security to the flow.

These are some basic and informational inputs on the reset password flow. Thanks for reading the article, for more science and technology related articles read our peoples blog articles.

We Need Your Consent
By clicking “Accept Cookies”, you agree to the storing of cookies on your device to enhance your site navigation experience.
I Accept Cookies