How to Implement Forgot Passwords Link Securely in Your Applications

Forgot password is a feature available in all login pages. However is it secure, that is the question to be asked. It is very important to secure this feature as it acts as a gateway for hackers to enter into the users account and do malicious activities.

How does forgot password work?

In simple words, first the user clicks in the forgot password link which asks the user to enter his/her email id, once the email id is submitted, it is verified on the server side, then a link will be sent to the users email account, on clicking that particular link user will be directed to a page where he can reset password.

CSRF attack

Fig.1 ?Process of forgot password

In the beginning when forgot password came into existence, there wasn't 2nd, 3rd or 4th stage in the process of forgot password. Directly on clicking 'forgot password' link the user would be redirected to the reset password page. In short there was not verification done. Due to this many hackers took advantage of the situation by taking full control of user's account which caused issue in the entire CIA model.

To overcome this the above mentioned process started where the verification of the email id was done and the reset password link was sent to the verified users email id. Although this method is being followed, there are few security implementations that have to keep in mind:

  • Verification of the email ID is must on both client and server side. (stages 2 & 3 from Fig. 1)
  • The reset link needs to have time limit. After a particular time period the link shouldn't be useable.
  • Once the password has been reset the link has to be expired and shouldn't be reusable.