ASP MVC 2 Forgot Password

Question

I am working on implementing a Reset/Forgot Password feature in a ASP.Net MVC 2 web application.

I have read a number of posts on here that give essentially these steps:

User clicks "reset" password.

User is asked for an email.

User enters email and clicks send.

You create a secure hash (can use RNGCryptoServiceProvider)

Store hash, user info (email address is unique so I can stored user id?? is this correct?) and datetime info (for expiration) in a PasswordReset table

Send the link with hash as param to the email address specified.

I would like to accomplish this without using security questions.

* My question is the verification process once the link is clicked from the user. Do I simply just look up the hash and email address in the PasswordReset Table? What if the user email account gets hacked. Then the hacker can simply click on the link and reset the password to anything. Im missing how to integrate the necessary security check in the verification process. *

Answer 1

You could add security question(s) to the 'Reset' process.

I am not sure what the general consensus is on the link below, but the steps there seem appropriate. https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet