I have an MVC 4 web application that requires user to login. Most of the users don't have email accounts. If someone forgot his password, how do I reset it? All the reset password systems I find require some sort of email account. I just want something simple, such as reset it to a default password, and the user can change his password once he logon using that default password. The problem is the password is encrypted in SQL Server. I can't find a tool that encrypt password.
1
-
4Passwords should not be encrypted - they should be hashed (and salted). If your users do not have email account you should ask them for a security question on account create & allow them to reset the password based on that security question. Also no "default password" - have them provide the new password right away.Ondrej Svejdar– Ondrej Svejdar2016-03-15 16:40:55 +00:00Commented Mar 15, 2016 at 16:40
Add a comment
|
1 Answer
First off the most widely used authentication implementations go to considerable lengths to prevent user credentials being stored in a reversible (i.e. plane text, or something that could be encrypted) format. Instead you should hash & salt plane text credentials and compare with a stored value.
Next to securely reset a users credentials you need to authenticate them through some other means, this is as you mention most commonly achieved through email, but if this isn't possible you should look at other out-of-band methods of authentication, perhaps send the user a SMS with a one time code, or make them answer a series of security questions. Once you have validated the users identity, force them to set a new password and override your stored hash for the user.
Comments
