I'm having a little understanding my programmers' reasoning regarding a password reset feature. Can somebody please tell me which of the following is more secure, or if they are equal?
Option 1: The user is sent an email with the following:
Url: http://mysite/reset/user%mail.com
CODE: 57583
The user is then taken to a page where they must manually enter the code, but the email is already populated on the web form.
Option 2: The user is sent the following email:
URL: http://mysite/reset/user%mail.com&code=57583
I'm not a programmer and sorry if this is a simple question or if my 2nd url is not formatted properly, my point here is that in example 1, the user must manually enter the code, and in the 2nd example the form is pre-populated with the code.
So would these be effectively just as secure as the other, or does one have a significant security advantage?
Since you are already exposing the user's email via the URL, adding the key doesn't really make it less secure.
You could improve security by not exposing the users' email at all - obscure the email in a token: mysite.com/reset/some-token?key=[key]
and in page don't display the email: email@d****.com
That way people can't use brute force methods to see if people are registrants in your system. It's probably not a concern for most sites, but I could see some use cases where not exposing the email and/or registrant list is important.
Both equally as secure - if the email arrives in the user's inbox, and that email is mapped to that user account on your site, you can safely assume it is the user you want. You can add security by allowing users to add alternate emails, and when they send the password reset code to Email-A, you send out notices to all the other email addresses saying "Hey you or someone sent a password reset email to Email-A. If this is not cool, click here"
They are both equals, as the email will contain the same information in both cases.
2nd option seems just more user-friendly to me. But you could easily offer both (as someone has a mail client, that doesn't allow opening URLs...)
Personally, I would consider both approaches equally secure (with approach 2 being more user-friendly).
However, you should use longer codes. Otherwise they would be to easily guessable and attackers could reset passwords at will by just guessing the reset tokens.
I will go for second option. without doing any harm compared to first one, it will improve user experience/usability.
As others have mentioned both are equally secure and the second option is more user friendly. It is critical however that the "code" cannot be easily guessed by an attacker. This means that you should avoid generating codes sequentially or with some easy to guess algorithm. Finally, as a precaution against any guessing attacks, you may wish to implement IP based blocking if you feel a certain IP address is attempting to incorrectly guess a code. Another option might be to lock a users account from having the password be reset if the code is guessed incorrectly 10 times (for example).