For a forgot password email the best practice seems to be to flag their account for a password change and email the user a link with a unique token.. the token expires and can only be used once.
when they click on the link they are taken directly to a new password form. The unique token acts as a key into the password form and then it expires forever. that way you never send a password, temporary or not, in plain text as part of the email. On Thu, Aug 14, 2008 at 1:23 PM, j. eric townsend <[EMAIL PROTECTED]> wrote: > Meredith Noble wrote: >> >> I meant more of "email a reset password link" to users. Then again, your >> approach might be better because people can navigate to the site on >> their own rather than trusting a link in an email (which could be >> phishing them, technically). Would you agree? > > Well, it's not phishing them if it's a legitimate link. :-) But yes, > emailing them a temp password then setting the system to force a password > change on next login is a reasonably good practice. If an attacker is > trying to jack their account they'll get the email and can take appropriate > action. > > My personal preference is to never mail sensitive links (login, password > reset), but amazon and eBay do it and seem to survive somehow. > > -- > jet / KG6ZVQ > http://www.flatline.net > pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8 > ________________________________________________________________ > Welcome to the Interaction Design Association (IxDA)! > To post to this list ....... [EMAIL PROTECTED] > Unsubscribe ................ http://www.ixda.org/unsubscribe > List Guidelines ............ http://www.ixda.org/guidelines > List Help .................. http://www.ixda.org/help > -- Matt Nish-Lapidus work: [EMAIL PROTECTED] / www.bibliocommons.com -- personal: [EMAIL PROTECTED] ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
