Concept

This lesson teaches about password reset functionality which most of the time is an overlooked part of the application leading to all kind of interesting logic flaws.

Goals

Teach how to securely implement password reset functionality within your application.

Introduction

Each and every one of us will have used the password reset functionality on websites before. Each website implements this functionality in a different manner. On some sites you have to answer some question on other sites an e-mail with an activation link will be sent to you. In this lesson we will go through some of the most common password reset functionalities and show where it can go wrong.

Still there are companies which will send the password in plaintext to a user in an e-mail. For a couple of examples you can take a look at http://plaintextoffenders.com/. Here you will find websites which still send you the plaintext password in an e-mail. Not only this should make you question the security of the site but this also means they store your password in plaintext!