Insecure Password Reset

Password reset mechanisms are high-value targets because they provide an alternative path to account takeover without knowing the password.

Guessable reset tokens:

# Vulnerable: time-based or sequential token
token = str(int(time.time()))  # Predictable!
token = hashlib.md5(email.encode()).hexdigest()  # Deterministic — no randomness!

Token not expiring: A reset token emailed to a user must expire (typically 15-60 minutes). If tokens never expire, an attacker can target old email breaches.

User enumeration via error messages:

# Vulnerable: reveals whether email exists
if not user_exists(email):
    return "No account found for this email"  # Attacker now knows!
return "Reset link sent"

Token not invalidated after use: A reset token used once should be immediately invalidated. If it can be reused, an attacker who intercepts the email link can reset the password again later.

Implement password reset securely with cryptographically random tokens, short expiry, and generic responses.

Cryptographically secure token:

import secrets
import hashlib

def generate_reset_token():
    token = secrets.token_urlsafe(32)  # 256 bits
    # Store the hash, not the raw token
    token_hash = hashlib.sha256(token.encode()).hexdigest()
    expiry = datetime.utcnow() + timedelta(minutes=30)
    db.store_reset_token(token_hash, expiry)
    return token  # Send raw token in email, store only hash

Generic response (no enumeration):

def request_reset(email):
    user = db.find_user(email)
    if user:  # Only send email if user exists
        token = generate_reset_token()
        send_reset_email(email, token)
    # ALWAYS return the same message
    return "If an account exists for this email, a reset link has been sent."

Defense checklist:

• Use secrets.token_urlsafe(32) or equivalent
• Expire tokens after 30 minutes
• Invalidate tokens immediately after use
• Return identical responses for valid and invalid emails
• Rate-limit reset requests per IP and email