Expire password reset token after a period of time #465
Comments
I agree. Password resets should expire for the reasons you list. This has been on my radar, but I'll have to think about how best to address this. It's likely a breaking change that will need to go to 2.0. |
|
Is this still an issue? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Generating a password reset token without any expiration time opens up a potential security flaw. Not a very easily exploitable one, but an easily preventable one nonetheless. More info: http://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_3.29_Send_a_Token_Over_a_Side-Channel
In addition to their email account being compromised, there's another possible scenario: if a user clicks Reset Password but never gets around to actually resetting their password, anyone who gets access to the backend database at any point in the future can reset that user's password. This would be much faster than trying to crack the encrypted password. And since by default there is no email sent upon password change, the user might not ever know that their account has been compromised.
The text was updated successfully, but these errors were encountered: