Is the Password Recovery Email Secure Enough?

In this article, we discuss the security of password recovery emails and whether it is necessary to include the email address in the recovery ID. We also address best practices for implementing a secure password recovery flow and provide insights on how to improve the user experience.

Workflow Best Practices

Your workflow obeys the best practices rules:

  • do not warn if a user presents a nonexistent user id (here the mail address)
  • send a message on an already known alternative channel (here the mail) with a reset password link
  • on reception of that link, input the new password (twice to avoid possible typos) and store it in the password database
  • cleanup the password request list after a definite time (here a few hours)

Other parts are just implementation details, but I would like to comment on one of them: you use a scheduled job running every 5 minutes to send the mails. IMHO, this will provide a poor user experience because 5 minutes for receiving a mail is rather long… I would prefer to immediately send the mail and prevent another mail from being sent again for 5 minutes.

Is the Email Address Necessary in the Recovery ID?

Now for your question: IMHO, passing the email in the link only makes sense if there is a risk to generate the same link for 2 different emails. As those links should contain unpredictable random data, it could be possible depending on other implementation details. But I would rather use a shorter deduplication key (for example, a simple numeric sequence) and a longer random ID. Or, as you need a database table indexed by that pseudo random ID and giving the associated user ID, along with the time at which it was generated, just rely on the database engine to ensure that those IDs are unique.

Leave a Reply

Your email address will not be published. Required fields are marked *