I’m looking to add password-reset functionality to my site and have been browsing the numerous threads discussing various aspects of that issue here on SO. One thing I haven’t really seen clarified is how much information to require from the user for confirmation before sending out the reset email.
- is email alone enough?
- email + account username?
- email + account username + some other identifying value all accounts must input?
I don’t want my site to seem like an old wrinkly nun with a ruler, but I don’t want people to be able to abuse the password reset system willy-nilly.
Suggestions?
First concern should be security. How bad would it if another person got a hold of a user’s password? If this is unacceptable, I’d say what Babiker said – email and a security question of some sort, preferably something that’s never communicated between the site and the user, with the exception of sign-up process or a security settings edit by the user. The assumption here is that the user’s email account has been compromised.
If security is not a huge deal, i.e. there are no real privacy/financial/etc risks involved, I think email is enough. To minimize risk for nuisance, you could do what Kerry suggested – i.e. not reset the password automatically, but provide a verification link. Also, you might want to place some restrictions on how frequently the feature can be used by a given user to prevent someone from filling your inbox by repeatedly entering your email.