Goal
- Allow users to access their accounts, even if they have lost their passwords.
- Simplify user account management.
- Boost security, by preventing the storage of passwords that are unencrypted so they can be re-sent to their users.
Implementation
Provide a link to send an email explaining the reset procedure, to the address associated with the account.
Ideally, place this link in the login form.
Control
On a website offering a personal account protected by password:
- Without being identified on the site, check that there is a link such as "Forgot your password?" adjacent to the login form;
- Check that there is a procedure allowing a new password to be created on the page which the "Forgot your password?" link points to;
- Check that this is indeed a reset procedure and not just sending the current password.