Best Approach To Recover Password For A Company

[phdphd]

Hi All,

 

Among other data, my database stores passwords.

 

In the case of individuals, the "forgotten password"/"secret question" approach is OK to recover the password. However, I am not sure for companies, where staff changes from day to day and not everyone would give the same answer to "what is the maiden name of your mother?".

 

So suppose that for whatever reason a company loses the password - what is the best approach to recover it?

 

Thanks for your opinion.

 

[ginerjm]

Perhaps you should limit the number of company staff (1-2) who can even request a password reset. Then you could provide them with a secret token to be used which could be easily changed when it needed to be. That would allow the 'company' to always know who is requesting password changes.

[phdphd]

Thanks.

[ginerjm]

HTH

[Psycho]

You should NOT have a way to recover passwords. Passwords should only be able to be reset. If they can be recovered, that means that you have the ability to access their password (even if it is encrypted) - which may be used on different sites. That is a significant security flaw. Passwords should be hashed (with an appropriate salt)  sometimes referred to a one-way encryption. Even if your site doesn't contain sensitive information, you have a responsibility to your users to strenuously protect their passwords. Many people use the same passwords in multiple places, so if a hacker was to obtain user credentials from your site, they could try the same credentials on other sites (e.g. banking). Note: Do not try to create your own hashing process. Do your research and find one that is already vetted.

 

If a user forgets their password, they should have to "request" a reset by entering their username or email address. That request will send an email (to the registered email for the user account) with a link to reset their password. The link will contain a token that makes it good only a for a limited amount of time. That link will take them to a page where they can answer their security question(s) and then set a new password.

 

Of course, there always needs to be a way (typically through support) to access an account in edge scenarios: someone left the firm, user no longer has that email address, etc.

 

One other thing. The process to request a reset should not leak information. If the user enters a username or email address that does not exist, the response should be the same as if it did. E.g. "An email has been sent to reset your password". If the email does not exist in your system (user entered the wrong email), you could still send an email to the address stating something like "An attempt was made to reset a password using this email address, but it does not exist in our system".

 

Why do all of that? A malicious user could use your password reset request page to data mine email addresses or user IDs by posting values and checking the responses. At best they may just want to have valid emails to spam. At worst, they may be looking for valid user IDs for the purpose of compromising your application.

Edited May 24, 2016 by Psycho

[kicken]

In addition to the above, ultimately it's up to the company to ensure a password is either not lost or can be recovered. For example by registering under an alias email which they can then forward to whoever is in charge at the time. If that person leaves without providing the current password, they can just change their email forward to a new employee and use the normal forgot password process.

 

Of course you'll want to also provide some means of initiating a reset via support channels. You'll have to develop some policy for determining that the person contacting support is authorized to reset the password, then send a reset link to a provided email address.

[phdphd]

Thanks to all!