Generally any application framework provides users to have a flow to reset the passwords by default, It is more like, use clicking on the Reset Password link and redirects to a page where he will asked for email, and reset link sent to users email, so that user can reset the password on their own.
This is a default or general flow that any application framework provides, but developers or architects have to make sure, this flow is more secure than just an email confirmation.
1. Set expiry on reset password link
Make sure the reset password link expires in a certain amount of time, so that the user is entitled to reset the password in that interval of time. And also the link will not be available for users forever to reset the password.
2. Application to identify reset password link
Always make sure the web application will identify the reset password link that is shared to the user. This can be done by adding the token to the reset password link and validating the token with application secure storage, when the user uses the reset password link and resets the password.
3. Password should be set complex
Allow users only to set the complex passwords, don’t allow users to set simple passwords.
- Alphanumeric Character types (one digit, one letter and one punctuation)
- Uppercase and Lowercase
- Length of minimum 8 characters
- Don’t allow username or email as password.
- Check history of password (avoid users to set old passwords.
- Avoid generic passwords (like admin, admin123 etc)
4. User Sessions
During the password reset flow (while the reset is triggered by users), make sure to clear all the sessions of the users from the application, including in other devices.
5. Hash the passwords
Use the latest and most secure encryption algorithm to hash the passwords.
6. Have questions on reset password form
This is quite an extra step, but this can be helpful to make sure the reset password flow is secured with one more step.
Avoid logging the sensitive information related to passwords or password hashes or the input provided by users which is sensitive and can crack the reset password flow.
8. Limit Password retries
This can be applicable in certain cases, but should not be applied for all the cases.
- Multiple reset password requests from a certain IP, in this case limit the reset of password.
- Multiple failed login attempts in a short interval of time from different IPs, then avoid this request. Have something like 3 attempts for failed login and should wait for sometime.
- Also look into the brute force attack to set such a limitation on the password reset workflow.
Having a two factor authentication is one more step of securing the reset password workflow.
Have Captcha on the reset password form, so that it adds one more step of security to the flow.