Email Based Resets

One of the things that came up in our discussion was whether or not email based resets are appropriate in our environment. Many sites will generate a temporary hash with a short expire, sometimes after passing a security check (challenge question, etc.), and email that to an address already on file. Arguably, this is an added level of security because the attacker would have also had to compromise the email account as well.

However, our environment is a bit more complex.

• As we provide email to our users, the password reset email wouldn't do them any good on that account since it uses the same password.
• If the person forwards to an external site, it could perhaps still work. But would that cause security concerns for us to send to a untrusted 3rd party email system? Is the short expire on the hash good enough here?
• In theory, we could check to see if they had a forward, before giving them an option to send an email to reset.

Unless the following statements are true, the email password reset would serve no purpose:

1. Email Password Reset is sufficient enough security, and no additional authentication (identifiers or shared secrets) are required.
2. Proposed [Simple Solution A] or [Simple Solution B] are not sufficient to allow an immediate reset.

I would argue that both of the above statements are false.

Statement #1

A reset password hash with a short expire is sufficient and convenient for most simple web sites, but 3rd party email accounts should not be trusted for this security context.

Statement #2

Since Proposed solutions A & B, which prompt for secrets which are within our control, are stronger than the untrusted authentication mechanisms of remote email systems, there is no reason to send the users through an additional hoop. It increases the convenience to our users to allow them to immediately reset their password after passing our authentication prompts. There is no reason to send them to an email system, where they receive a http link, that is only going to send them right back to our site.

Summary

Finally, implementing a solution that will not work for all users (not all users forward email), is an unnecessary complication in our quest to produce a simple solution, and in the end would probably confuse users without providing increased security. Even if you believed that the email hash would increase security, since you would have to allow for non email password resets, you have just allowed a weaker form and negated the benefits of the "stronger" form.