Skip to main content
Information Security

Questions tagged [password-reset]

Ask Question

How to let users reset their passwords in a safe manner.

154 questions
Newest Active Bountied Unanswered
2 votes
0 answers
161 views

If an AWS Cognito User Pool user is in the FORCE_CHANGE_PASSWORD state, they won't be able to go through the "forgot your password" flow to get a password-reset confirmation code. Why not? ...
fblundun's user avatar
  • 121
0 votes
1 answer
256 views

Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice. The authentication mechanisms My idea is to encourage the users to use the following two login methods:...
2f8n's user avatar
  • 1
0 votes
1 answer
156 views

I was about to signup for ebanking solution, but then noticed their instructions for forgotten password are: Create a new account. So there's no option to reset your password, just a suggestion to ...
CodeVirtuoso's user avatar
  • 103
2 votes
1 answer
120 views

I'm developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering ...
george orwell's user avatar
  • 21
4 votes
1 answer
190 views

It is a security problem to allow that two different user accounts have the same email address? If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email ...
Pilar's user avatar
  • 41
2 votes
0 answers
763 views

In the past few weeks I've seen periodic attempts of someone logging in to my linkedin accounts. They appear to use some sort of one time login link feature that linkedin has, which allows ...
Ccm's user avatar
  • 143
1 vote
2 answers
563 views

I have received many security emails from LinkedIn over the past few weeks. An example is shown below (redaction mine) I do not live in the USA and I did not try to access LinkedIn at the times these ...
Josh's user avatar
  • 121
3 votes
1 answer
565 views

I have noticed on most websites that all previous password reset links are automatically expired when a new one is requested. Why is this so common and what are some possible consequences if this isn'...
user17886134's user avatar
  • 285
8 votes
3 answers
6k views

It has crossed my mind to include the requesting IP address in password reset emails. The intention being that if someone is receiving unexpected reset emails, this allows them to do a basic level of ...
paj28's user avatar
  • 35k
0 votes
0 answers
129 views

Scenario: The setup is that each user has a randomly generated key A used for encrypting data stored on the server and a password-derived key B used to store A on the server without the server getting ...
n-l-i's user avatar
  • 817
3 votes
4 answers
532 views

This is from the perspective of someone who had supposedly forgotten their password. We're doing this project wherein we "secure" an application that was given to us. We added this "...
Marasmius's user avatar
  • 31
0 votes
1 answer
1k views

I am currently working on a solution to at least try to implement a working/modern "change password" option to chntpw. First of all: Windows uses this format in its hive file: root@rescue /...
HeartOfGermany's user avatar
  • 1
1 vote
2 answers
185 views

I am using the following line of code to create a reset password code sent to the user in her/his email. when scanned with brakeman to my ruby code, this line of code is catched and describes it as it ...
hanan's user avatar
  • 131
1 vote
0 answers
101 views

I want to create a website with password login and social login (e.g. Google only.) For password login, first I will send a verification email. I want to prevent pre-hijacking. For those who do not ...
ihsan çiftci's user avatar
  • 11
0 votes
1 answer
167 views

Short I known 0x02135 gets encrypted to -> NzY4MzY5 0x02136 gets encrypted to -> NzcxMzc0 ...etc I want to know 0x02137 will get encrypted to -> ??? (in ...
eternalodballl's user avatar
  • 123

15 30 50 per page
1
2 3 4 5
11