Hi All,
We have a link on login page "Forgot Password" ?
As users clicks the link, idea is he goes to page that has emails address and submit button.
As user enters his emails address and clicks submit, the mechanism gemerates a new password and sends it over to his email address.
My question is, "I dont know how to generate that new random password."
Is there a code around, that I can use ?
thanks a lot,
pp
> Hi All,
>
>
> We have a link on login page "Forgot Password" ?
>
> As users clicks the link, idea is he goes to page
> that has emails address and submit button.
I hope you aren't allowing them to enter the e-mail address on that page, otherwise that is a very bad security hole.
> I hope you aren't allowing them to enter the e-mail
> address on that page, otherwise that is a very bad
> security hole.
..but many systems are implemented like that. The user must have used that address when he registered, and the password is sent to that address. I think that actually is what this forum does.
Kaj
It's easy enough to generate a random password. Use a constant string containing your alphabet (different systems have different rules about what characters are allowed). Then us Random first to generate a suitable length, then to pick a character from your alphabet for each slot. If there are further rules (e.g. "must contain at least one digit") then check the password you've just generated and if it fails the test, simply try again.
But this isn't a particularly good system. It allows anyone to harrass a user by changing their password if they can guess their user name.
The approach I favour is to send the user a one-time click-thru URL in an e-mail which allows them to set their password to anything they chose. That needs a special table in some data base. You generate a random token which acts as a one-shot password on a special "change password" page. As soon as the click through has been used then the database entry is deleted so that the token is invalidated. You should also invalidate the token if they log on in the normal way.
> But this isn't a particularly good system. It allows
> anyone to harrass a user by changing their password
> if they can guess their user name.
What's the difference between sending an click-thru url or a password? They are both sending something to a trusted e-mail address so they both have the same flaw.
Kaj
> ..but many systems are implemented like that. The
> user must have used that address when he registered,
> and the password is sent to that address. I think
> that actually is what this forum does.
>
> Kaj
Did you actually just recommend doing something because it's how this forum works? :-P
But seriously, I don't see why you'd take the generation of the new password out of the authentication/password management domain. The OP makes it sounds like his webapp will be generating the new password, but it should only request that a new password be generated. The email to the user should let them verify that they want to change the password, say by clicking through to a secure url, that way their password doesn't change unless they confirm it.
Something like this should get you started.
public class PasswordGenerator
{
public static void main(String[] args)
{
final String alphaNum = "0123456789abcdefghijklmnopqrstuvwxyz";
final int passwordLength =6;
String password="";
for (int i =0; i<passwordLength; i++)
{
password += alphaNum.charAt((int)(Math.floor(Math.random()*36)));
}
System.out.println(password);
}
}
Probably not the neatest/bst solution but something to go on none the less.>
> It's easy enough to generate a random password. Use a
> constant string containing your alphabet (different
> systems have different rules about what characters
> are allowed). Then us Random first to generate a
> suitable length, then to pick a character from your
> alphabet for each slot. If there are further rules
> (e.g. "must contain at least one digit") then check
> the password you've just generated and if it fails
> the test, simply try again.
>
> But this isn't a particularly good system. It allows
> anyone to harrass a user by changing their password
> if they can guess their user name.
>
> The approach I favour is to send the user a one-time
> click-thru URL in an e-mail which allows them to set
> their password to anything they chose. That needs a
> special table in some data base. You generate a
> random token which acts as a one-shot password on a
> special "change password" page. As soon as the click
> through has been used then the database entry is
> deleted so that the token is invalidated. You should
> also invalidate the token if they log on in the
> normal way.
I agree that the 'forgot your password' feature is nasty. I mean, we are normally enjoined from saying "invalid user id" or "invalid password", we have to say "invalid user id / password combination" or something to that effect. But by providing the 'forgot your password' feature, it would be trivial to write a bot to see which sites provide this, determine a good page from a bad (e.g., valid user id) and then have an easier time brute-forcing the password. Sad.
On the other hand, I know personally that many companies are concerned with phishing attacks on their customers. As such, they have a blanket policy prohibiting any URL that hits a secured page in any way.
So, what to do? :^(
- Saish
@ OP: You want to use SecureRandom rather than simply generating it yourself. Try to set the seed with something at least vaguely non-deterministic (such as the login time (millisecond portion only) x-ored against the current system time (millisecond portion only) x-ored against the user id signing , etc.)
- Saish
