How to: Recover account password via Account Manager

Web discussions, including project website, forums, wiki, and others.


Post Reply
Exceptionfault
Peon
Peon
Posts: 21
Joined: 20 Jul 2008, 15:46
Location: Germany
Contact:

How to: Recover account password via Account Manager

Post by Exceptionfault »

Hi all,

here are some thoughts about changing a forgotten password through the account
manager.

Approach I: The user enters his username, mailaddress, two times his new
password and the procedure is finished. Maybe he gets informed via mail.

Approach II: The user enters his username and mailaddress. A new password will
be generated by the server and sent via mail to the user.

Approach III: The user enters his username and mailaddress. He gets a
mail containing a link with his username and a generic unique key. The link
takes him to a form where he can change his password if unique key and username
correct.


Imo the third approach is the safest. Only with the knowledge of a username and
a password one shouldn`t be able to change a password directly. We should
validate the whish of changing via mail and active response of the owner of the
mailaccount.

One problem in approch III is, that atm there is no field in the database to
store the unique key sent to the user.

Therefore I have another three approaches:

1.) Extend the table tmw_accounts by this field
2.) Use a second database file only for account manager needs.
3.) Generate a deterministic key that could be validated by the account manager
via known parameters. Maybe a combination of a secret salt, username and
mailaddress.
Never say: "Always"! Always say: "Never say never"! - Tom Kyte @ Ask Tom Live in Berlin 2008

Image
User avatar
ElvenProgrammer
Founder
Founder
Posts: 2526
Joined: 13 Apr 2004, 19:11
Location: Italy
Contact:

Re: How to: Recover account password via Account Manager

Post by ElvenProgrammer »

Exceptionfault wrote: Approach III: The user enters his username and mailaddress. He gets a
mail containing a link with his username and a generic unique key. The link
takes him to a form where he can change his password if unique key and username
correct.
This is the only way to go. The only other approach is that once the mailbox is confirmed a new password is generated and sent to the user instead of letting the user change it.
Exceptionfault wrote: One problem in approch III is, that atm there is no field in the database to
store the unique key sent to the user.

Therefore I have another three approaches:

1.) Extend the table tmw_accounts by this field
2.) Use a second database file only for account manager needs.
3.) Generate a deterministic key that could be validated by the account manager
via known parameters. Maybe a combination of a secret salt, username and
mailaddress.
I think the best option is 1 since the field is useful also when requesting the password by the client. 2 is unnecessary while 3 feels a bit insecure.
User avatar
Jaxad0127
Manasource
Manasource
Posts: 4209
Joined: 01 Nov 2007, 17:35
Location: Internet

Re: How to: Recover account password via Account Manager

Post by Jaxad0127 »

ElvenProgrammer wrote:
Exceptionfault wrote: One problem in approch III is, that atm there is no field in the database to
store the unique key sent to the user.

Therefore I have another three approaches:

1.) Extend the table tmw_accounts by this field
2.) Use a second database file only for account manager needs.
3.) Generate a deterministic key that could be validated by the account manager
via known parameters. Maybe a combination of a secret salt, username and
mailaddress.
I think the best option is 1 since the field is useful also when requesting the password by the client. 2 is unnecessary while 3 feels a bit insecure.
Mixing one and three by adding a timestamp to the accounts table (and maybe a random number) and using them with the other data to generate and validate the key is an option.
Image
Habari
Novice
Novice
Posts: 249
Joined: 25 Nov 2007, 16:04

Re: How to: Recover account password via Account Manager

Post by Habari »

i think the user shouldn't enter his email , its much safer if he just enters his name , and an email is sent to the associate email for that account (without telling the person which is that email address) , the email could remind you directly what is your password , because only you , can access your email and know the email address / password .
Prompt : " an email with your password was successfully sent to the email account you used to get registered in game"

An Alternative , ask for your user name and a few questions (birth date , country , etc)
and still send the password to a secret email only the right user knows. Only If the answers are correct . without telling the person , in what question is the mistake , just prompt a generic :"error: bad info , bad user name , or personal data , email couldn't be sent"

Also , you can add still more security if the email in the above methods contains not the password but a temporary and very long random password , which will pass out , if you don't use it to change your password back again in less than 24 hours.
Also you shouldn't be allowed to use the password recovery system more than twice every 72 hours , regardless of having different IP's.

PD: the system should include Turing test such as captchas
User avatar
trapdoor
Novice
Novice
Posts: 216
Joined: 18 Feb 2007, 12:36

Re: How to: Recover account password via Account Manager

Post by trapdoor »

If the user never enters his email address we cannot know what email address to send the key or password to. Email address is stored encrypted so you cant just look it up in the database.

--
trapdoor
Post Reply