I am working on implementing a Reset/Forgot Password feature in a ASP.Net MVC 2 web application.
I have read a number of posts on here that give essentially these steps:
I would like to accomplish this without using security questions.
* My question is the verification process once the link is clicked from the user. Do I simply just look up the hash and email address in the PasswordReset Table? What if the user email account gets hacked. Then the hacker can simply click on the link and reset the password to anything. Im missing how to integrate the necessary security check in the verification process. *
You could add security question(s) to the 'Reset' process.
I am not sure what the general consensus is on the link below, but the steps there seem appropriate. https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.