I am re-implementing the "reset password" functionality for the next version of my user management system. The way it works currently is:
- The user enters their username and email address.
- If this information is correct, a random token is generated and stored in the DB, and a link with the token is sent to the user's email address on file.
- The user clicks the link, with the option to either "confirm" or "deny" the reset request.
- If they confirm the reset request, they must enter their email address, as well as their new password (and repeat the new password as well). This is POSTed to the server along with the token. If the email address matches the token, and the reset request hasn't yet expired, the password is updated.
My question is: do we really need the user to re-enter their email address when they create the new password? If the random token is sufficiently strong, does requiring this extra piece of information provide any added security, or does it just worsen UX?
I don't see any value in doing this. Just make your key secure. Perhaps a 128-bit (that's 22 base 64 encoded characters) secure random. That seems large enough. Also add a timeout to the token life span. 24 hours seems a fine compromise between security and inconvenience.
I like the idea of adding the email address to the token so you can log failures more intelligently.