Most sites today still are vulnerable to a simple and stupid attack: Password reset.

When a user forgets his password, he should have a way to retrieve in his email. Which needs a confirmed email address, that’s reasonable. But then, in many apps it’s possible to reset somebody’s password by hitting the I forgot my Password button and entering their e-mail so their new password is sent there.

This doesn’t make any sense:

• I won’t remember the automatically generated password you’re sending me.
• Other users can reset my password.

Worse offenders will store your password in the database in a retrievable format, which will email you your password. A site should never store a password somebody can retrieve, because of the obvious security risk.

We’ve given this some thought for Teambox 2.0, and this is the way we think Password Retrieval should be done:

1. User mistypes or forgets his password, so he hits I forgot my Password.
2. An email is sent to him with a special log-in link. The password is not reset.
3. When following the link, you go to a page where you can choose a new password.
4. Never store passwords, just one-way encrypted versions of them to compare against.

This way, attackers can’t reset your password and in order to log in, you need to set a password you’ll remember Obvious benefits in both.

Why are most doing this wrong?

Read also

• Persuasive design: Suggesting over forcing
• [Preview] Teambox Login page
• Fun: Beyond usability
• Whiteness
• Concise