Mobile app version of vmapp.org
Login or Join
Gail5422790

: When a user changes their password, should I let the old password be valid for a few days? I'm building a new web site. I'm now writing the code where a user can request an email to reset

@Gail5422790

Posted in: #Password

I'm building a new web site. I'm now writing the code where a user can request an email to reset a lost password. As I'm writing it, it occurs to me that there could be several scenarios:


The user simply forgot their password and needs a reset, so it doesn't matter if I let the old password be valid.
A hacker got into the user's email account and has requested a password reset from my site, so it's best to leave the old password valid for a few days so the user can get back into the account and alert a mod.
The user's password is compromised and needs it changed immediately, so letting the old password be valid risks letting unauthorized persons into the account.


What is the solution to this dilemma?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Gail5422790

2 Comments

Sorted by latest first Latest Oldest Best

 

@BetL925

The email to reset the password shouldn't change the password until the recipient clicks on the link in the email. If the password is changed when the email is sent out, then you have effectively locked out the real user in the case that somebody else had requested that their password be reset.

Once the user clicks on the link in the email to reset the password, the new password should take effect immediately.

If you have a form for logged in users to change their password, that should take effect immediately. Users will probably use that in the case they wish to change their password for security reasons.

10% popularity Vote Up Vote Down


 

@Kimberly868

You should change the password immediately. There are several reasons for this:


If the account has been compromised allowing the old password will mean that the account is still compromised and the attacker will be able to change it again.
Every other system changes the password immediately, so this is what the user will be expecting.
If you allow the old password the user might not think that the password has in fact been changed so may well initiate the "change password" procedure again.


All changes for a password should be confirmed via an e-mail sent to the registered address and as long as you don't allow a change of password and a change of contact e-mail address at the same time then the it should be difficult for an attacker to gain control over the account.

You would only allow the change when the user visits the page you link to in the e-mail or allow the change to be rejected via a link.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme