Question
Arnold Cota · Aug 9, 2021

Forgot username, forgot password functionality

Hi!

 

I am looking for examples of implementations of a more robust forgot username and forgot password implementation.  Does anyone have one to share, even just a link to the page so I can see how it works, or screenshots?  We would like to implement a secure system for requesting username and resetting password.

Product version: HealthShare 2019.1
2
0 185
Discussion (2)2
Log in or sign up to continue

The SSO system we use for this Developer Community has a "forgot password" implementation. Unfortunately it is down right now, but under normal circumstances  you would be able to try it out here: https://login.intersystems.com/login/SSO.UI.PasswordReset.cls

It works as follows:

  • The user enters their email address into a form. They are then taken to another form with an input for a token.
  • If the email address exists in the system, they are sent an email with a secure random token to input. Otherwise they are sent an email with instructions on how to register for an account.
  • Once the user inputs the token from their email to the page, they are taken to another form to set their new password.

It's important to avoid user enumeration by not revealing in the UI whether or not a user with the provided username or email address exists in the system. You should also hash the password reset tokens before storing them in a database, give them a short lifetime before they expire, and invalidate the token after it's used once.

I highly recommend OWASP for more resources on how to do this securely: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_She...

Thank you!  Have you thought about forgot username?  Our system doesnt use email for user name, we use a value based on a combination of facility and user's name and when folks dont log on everyday they can forget it.