I inherited web software where the forgotten password page sends a new password to the user by email. I plan to change that and I am now searching for arguments why one of the two methods below (or something else) could be better in terms of security.
Option 1: Temporary Password
- Create a random password
- Save the salted hash in the database with an expiry time
- Send the plain password to the user in an email and forget it
- Force the user to change the password after the next login. Make sure the new password is different from the one that was sent.
Option 2: Token
- Create a link with a random token that has a limited lifetime
- Send the link to the user by email
- The user is authenticated by the token and can set a new password
I tend towards Option 2 with the following arguments:
- It feels more natural to limit the lifetime of a token than that of a password. That argument is more about usability but it might increase acceptance among users (not all will understand why to take the extra step via a temporary password) and therefore increase security.
- If the “forgotten password” procedure was initiated by an unauthorized person, the legitimate user can still log in with the original password. I see it as security-relevant because locking out another user with a known email address could be an attack
- Similarly: It is easier to invalidate a token than a password if needed.
Note: I won’t use MFA/2FA at this stage because users might not yet have set it up. Encrypted emails are no option here.