C# – Password Recovery without sending password via email

.net-2.0asp.netasp.net-membershipcpasswords

So, I've been playing with asp:PasswordRecovery and discovered I really don't like it, for several reasons:

1) Alice's password can be reset even without having access to Alice's email. A security question for password resets mitigates this, but does not really satisfy me.

2) Alice's new password is sent back to her in cleartext. I would rather send her a special link to my page (e.g. a page like example.com/recovery.aspx?P=lfaj0831uefjc), which would let her change her password.

I imagine I could do this myself by creating some sort of table of expiring password recovery pages and sending those pages to users who asked for a reset. Somehow those pages could also change user passwords behind the scenes (e.g. by resetting them manually and then using the text of the new password to change the password, since a password cannot be changed without knowing the old one). I'm sure others have had this problem before and that kind of solution strikes me as a little hacky. Is there a better way to do this?

An ideal solution does not violate encapsulation by accessing the database directly but instead uses the existing stored procedures within the database…though that may not be possible.

Best Answer

I'm currently implementing an open source user management system on top of Spring + SpringSecurity, and here's how I'm addressing the lost password problem.

The user's account must have a preregistered email address.
To request a reset, the user enters their account name into a form.
A temporary "reset code" is generated and attached to the account, and emailed to the user embedded in a hyperlink.
On receiving the email, the user clicks the link which takes them to a page to enter their new password.
Before accepting the new password, the reset code (from the link) is checked against the stored code, to make sure it is correct and that it hasn't expired.

This avoids sending a password (in clear) in an email message. And it also protects against one person resetting another person's password just to be a nuisance, because the password reset only takes place after the link has been used.

But it does rely on the user's email account being secure, and in the email not being snooped while in transit. For some applications, this maybe an unacceptable risk.

Another piece of the equation is that you need to be really careful about changing a user's registered email addresses. At the very least, the user must enter their current password with the request to change address ... to prevent against hacking via unattended login sessions.

Related Solutions

C# – Sending email in .NET through Gmail

Be sure to use System.Net.Mail, not the deprecated System.Web.Mail. Doing SSL with System.Web.Mail is a gross mess of hacky extensions.

using System.Net;
using System.Net.Mail;

var fromAddress = new MailAddress("from@gmail.com", "From Name");
var toAddress = new MailAddress("to@example.com", "To Name");
const string fromPassword = "fromPassword";
const string subject = "Subject";
const string body = "Body";

var smtp = new SmtpClient
{
    Host = "smtp.gmail.com",
    Port = 587,
    EnableSsl = true,
    DeliveryMethod = SmtpDeliveryMethod.Network,
    UseDefaultCredentials = false,
    Credentials = new NetworkCredential(fromAddress.Address, fromPassword)
};
using (var message = new MailMessage(fromAddress, toAddress)
{
    Subject = subject,
    Body = body
})
{
    smtp.Send(message);
}

Additionally go to the Google Account > Security page and look at the Signing in to Google > 2-Step Verification setting.

If it is enabled, then you have to generate a password allowing .NET to bypass the 2-Step Verification. To do this, click on Signing in to Google > App passwords, select app = Mail, and device = Windows Computer, and finally generate the password. Use the generated password in the fromPassword constant instead of your standard Gmail password.
If it is disabled, then you have to turn on Less secure app access, which is not recommended! So better enable the 2-Step verification.

Unix – How to remove the passphrase for the SSH key without having to create a new key

Short answer:

$ ssh-keygen -p

This will then prompt you to enter the keyfile location, the old passphrase, and the new passphrase (which can be left blank to have no passphrase).

If you would like to do it all on one line without prompts do:

$ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]

Important: Beware that when executing commands they will typically be logged in your ~/.bash_history file (or similar) in plain text including all arguments provided (i.e. the passphrases in this case). It is, therefore, is recommended that you use the first option unless you have a specific reason to do otherwise.

Notice though that you can still use -f keyfile without having to specify -P nor -N, and that the keyfile defaults to ~/.ssh/id_rsa, so in many cases, it's not even needed.

You might want to consider using ssh-agent, which can cache the passphrase for a time. The latest versions of gpg-agent also support the protocol that is used by ssh-agent.

Best Answer

Related Solutions

C# – Sending email in .NET through Gmail

Unix – How to remove the passphrase for the SSH key without having to create a new key

Related Topic