Users often forget their passwords and the applications we make have to account for that. This opens a potential attack vector because anyone can requ

Implementing a forgot password flow (with pseudo code)

submited by

Style Pass

2021-06-07 14:30:10

Users often forget their passwords and the applications we make have to account for that. This opens a potential attack vector because anyone can request a new password. Resetting a password requires sending a token to a user’s email address and this is what gives attackers an opening. Making sure you have a secure process for handling the password reset tokens will ensure your users’ accounts remain safe from attackers.

This is a common threat for all web applications. Attackers may attempt to detect patterns in the password reset tokens - like if it’s derived from a user’s userId, time they signed up, their email or any other information. Attackers may also try all possible combinations of letters and numbers (brute force), and may even succeed if the generated tokens are not long or random enough (i.e. have low entropy).

To prevent this, we must ensure that tokens are generated using a secure random source, and that they are long enough (we recommend >= 64 characters). Later on in this blog, we will see one such method.