Email Password / Forgot Password

I am trying to setup a "forgot password" screen for my users. I would like it to email the password to them after they enter their email address. The problem I am having it is sending a long password that is incorrect, which I assume is because it is encrypted. How do I get it to send the regular password they use to login? Or, is it better to setup something similar to outsystems where they are sent a link and click it to reset their password. I could use some guidance either way.

Hi Mark,

for security reasons you should never send the actual password. Your mechanism should change the actual password (random plain text) send it to the email, and next encrypt that plain text and update the database.

This is the used case in web apps.

hope it hepls, regards,
Miguel Antunes

Everything works, I just want to make sure I did it right. If they forgot their password, I made a forgot password screen where they enter their username. The program searches for the username using a query. The next line down after the query I generated a random integer using an execute action box. I assigned the random integer to a variable that is passed to the email. Then I assigned the variable to the password field for user master as encrypted..."Encrypt(random)" where random is my variable and updated the master using an execute action box.

So when the person gets the email, they see the random integer. Obviously the email is not encrypted, so I guess there is nothing really secure about them receiving it. They would then login and could change their password accordingly if they wanted too.

Does this sound right? It seems to work ok.
I am looking to accomplish this same task. Would you be able to post some source of how you did this? I have setup the forgot password but since the password is encrypted I can't even email that.

James -

There is no way to get the unencrypted password. Instead, what you do is generate a new password and assign it to the user (you can use the "generate password" function for that to make life easy), and provide the user with the new password.

@James: " I am looking to accomplish this same task. Would you be able to post some source of how you did this? I have setup the forgot password but since the password is encrypted I can't even email that."

You shouldn't email the password in the first place, instead you should perform the following

1) User request for new password (Clicked on "I forgot password" link
2) Email the user a request new password link
3) User clicks on link, web screen is loaded, system verifies the password request link
4) System prompts the user to answer his security questions, enter full credit card details or any information that is only known to that user
5) System verify information entered matches user's record on file.
6) System prompt the user to enter a new password
7) System update new password and send the user an email nofication in regards to the password change.

Robert -

That is an alternative route that works well too. It's an interesting security question... do you trust your email more than you trust a site to hold the answers to those questions? It really depends on the site. For a service that you don't have a close relationship to, I'd rather have them email me a random password which I change as soon as possible, than to give them the answers to the same kinds of questions that my bank and credit card companies use to verify identity.

That being said, in my SaaS framework, I send a randomly generated password reset link via email that is good for up to 72 hours (configurable). Once that link has been used, it is no good, so someone can't come in after the fact and change your password again within the time window. I think that's the best combination of security on the email end, and not requiring personal information on my end.

@Justin James "It really depends on the website/use case as there is no 1 solution fits all".

If I hacked into your email account and then I requested a password change, I could click the link and change your password for the sites/services that you use, because there is no additional personal/security verification that needs to be made after clicking on the email link. However this doesn't neccessary mean your solution is bad, maybe you do not need your applications/services to have this type of security, so it really depends on your site/requirements.

For most sites, asking for answers to their security questions is good enough!
Robert -

If you are going to go the security question route, the answers should be one-way encrypted as if they were passwords (because they are just as valuable as passwords since so many sites use them), and they should be normalized (all lower or upper cased, all extra whitespace stripped) before encryption and before comparison, to account for differences in how folks type it in (someone might put "Smith" as their mother's maiden name when signing up, but "smith " when typing it in to reset).

Also of note (I hope this is obvious to all, but just in case...) the password reset pages need to be SSL secured, as should any pages that handle sensitive data, like account settings, credit card information, etc.


"System prompts the user to answer his security questions, enter full credit card details..."

...I see what you're doing there - I believe that kind of thing is called Phishing :P Now if I bump into any website that asks me about that, I'll suspect you're the mastermind behind it ;)

Just kidding - I think both approaches are valid suggestions.


Paulo Tavares