Using email, what is the best process to implement a forgotten password.  Does anyone have an example OML that I could reference?
Hello Colin

I'm not sure if there's any component on Forge that implements a forgotten password workflow. Nonetheless, one of the most commonly used workflows that is rather secure, is to implement a password reset via a secure link sent by email, with a short-term token.

The overall workflow would be something like:

1. User press the Forgot password link
2. Is redirected to a form that request the user's email only, and a submit button/link that will send an email
3. Regardless of the email being a valid user email or not, the feedbakc should always be "An email with information on how to reset your password was sent!", or something like that (it has to do with login harvesting, there's a good discussion on [1]). Of course, the email will only be sent if the user has inputted a valid account email address.
4. The content of the email should include a link to a secure (https) reset password page, with a generated token (guid or hash) as input parameter. This token should be unique, generated only for the reset password purpose, and associated with the user's account for reset password purpose for a short time span (say 1 hour).
5. When the user clicks on the link, it will be on a form asking for the new password, and confirmation of the new password. 
6. After the user inputs the new password and presses sbumit, the password is updated in the user account, the token destroyed and invalidated (so it will only work once).

Of course, there are several other variations of the forgotten password workflow, however, the key aspect here is that the user email account is used to share the token necessary to reset the password, and not let the reset password dependent on questions, or data that can be phished, or deduced by other users.

I hope this helps in implementing the worflow you need.


Just a note here... the passwords are stored with one-way encryption, so you can ever "retrieve" a password, you can only do a reset of the password.

Good morning Justin James. 
In its cometary above you say the following: 'so you can ever "retrieve" the password' and then immediately says, 'you can only reset to the password of the'. 
I may or may not recover password and send it to the user? 
Thank you!
I think it's a typo and should say "never" 
Yes, it's a typo, it should say "never".

OK, tnak's!