I Forgot My Password

Web identities and authentication center around email accounts. The assumption is that one email address belongs to one person, anyone who has access to it can be trusted, and that all email accounts are secure. Because of this, if you forget your password for a web service, your email account is the key to getting the password reset. When the assumptions above are challenged, you can lose a lot.

There are some flaws in the above assumption:

Because of these flaws, the authentication process needs to be designed with the assumption that the email being sent is insecure, either now or in the future, and that any breach of security should be immediately visible. Here's a summary of the process for resetting a password:

Drupal does pretty well at this (the explanatory text could be better), but the best practice I've seen recently is from DynDNS, example emails from which are copied below (I've replaced some information with placeholders in <> brackets.

----

Example email from DynDNS (Step 1):

----

Subject: Password Reset Request
From: DynDNS Support <support@dyndns.com>

Dear Valued Customer,

Someone has requested that the password for your account,
username <username>, be reset.

If you did not make this request, please simply disregard this
e-mail; it is sent only to the address on file for your account,
and will become invalid after 48 hours, so you do not have to
worry about your account being taken over.

To choose a new password, please go to the following URL:

https://www.dyndns.com/account/resetpass/<unique-key>

This request originated from <IP address>
Your username is <username>

Sincerely,
The DynDNS Team

----

Example email from DynDNS (Step 2):

----

Subject: Successful Password Change
From: DynDNS Support <support@dyndns.com>

Dear Valued Customer,

Your password for the DynDNS login system has been successfully
changed. The new password is not printed here to protect your
privacy, and your username is confirmed below.

Username: <username>

If you have not requested this change, your account most likely
has already been compromised. You should immediately request a
password reset at https://www.dyndns.com/account/resetpass/ to
change your password to a new, secure value. You should only
ever login to our account through secured (https) links, and you
should not use a dictionary word as your password.

IMPORTANT NOTE: You must keep the e-mail address we have on file
for you up-to-date. Any accounts which cause bounced e-mails
will be terminated.

Thank you for choosing Dynamic Network Services, Inc.

Sincerely,
The DynDNS Team

----

This doesn't handle the cases where control of your email account has been handed over to someone else: in those cases perhaps online accounts should require additional security for password resets if they've been inactive for more than a year. It could also be easier to delete accounts that you own (with an appropriate retention proviso in case of malicious deletion requests), so you can clean up before leaving an old email address behind.