I’m working on an application in ASP.NET, and was wondering specifically how I could implement a Password Reset function if I wanted to roll my own.
Specifically, I have the following questions:
- What is a good way of generating a Unique ID that is hard to crack?
- Should there be a timer attached to it? If so, how long should it be?
- Should I record the IP address? Does it even matter?
- What information should I ask for under the ‘Password Reset’ screen ? Just Email address? Or maybe email address plus some piece of information that they ‘know’? (Favorite team, puppy’s name, etc)
Are there any other considerations I need to be aware of?
NB: Other questions have glossed over technical implementation entirely. Indeed the accepted answer glosses over the gory details. I hope that this question and subsequent answers will go into the gory details, and I hope by phrasing this question much more narrowly that the answers are less ‘fluff’ and more ‘gore’.
Edit: Answers that also go into how such a table would be modeled and handled in SQL Server or any ASP.NET MVC links to an answer would be appreciated.
Lots of good answers here, I wont bother repeating it all…
Except for one issue, which is repeated by almost every answer here, even though its wrong:
This is not true, GUIDs are very weak identifiers, and should NOT be used to allow access to a user’s account.
If you examine the structure, you get a total of 128 bits at most… which is not considered a lot nowadays.
Out of which the first half is typical invariant (for the generating system), and half of whats left is time-dependant (or something else similar).
All in all, its a very weak and easily bruteforced mechanism.
So don’t use that!
Instead, simply use a cryptographically strong random number generator (
System.Security.Cryptography.RNGCryptoServiceProvider), and get at least 256 bits of raw entropy.All the rest, as the numerous other answers provided.