Picto thématique

Rule n° 199 - The site provides a way to reinitialise a password.

Losing your username or password happens to everyone. The procedure to reset should be simple and possible to do it securely online. A lost password can mean a lost user.

#Security #Development

Goal

  • Allow users to access their accounts, even if they have lost their passwords.
  • Simplify user account management.
  • Boost security, by preventing the storage of passwords that are unencrypted so they can be re-sent to their users.

Implementation

Provide a link to send an email explaining the reset procedure, to the address associated with the account.

Ideally, place this link in the login form.

Control

On a website offering a personal account protected by password:

  • Without being identified on the site, check that there is a link such as "Forgot your password?" adjacent to the login form;
  • Check that there is a procedure allowing a new password to be created on the page which the "Forgot your password?" link points to;
  • Check that this is indeed a reset procedure and not just sending the current password.

By Opquast - Read the license