What do you do when a user forgets their password. There are a number of different approaches that can be taken. For an internal user within an organisation, it usually means having to phone up the helpdesk. But where an application is public-facing, running a helpdesk is usually cost-prohibitive therefore, self-service functionality is provided.
The challenge when allowing a user to self-service is that you could potentially open up a number of avenues for attack.
For example, error messages displayed on the screen can indicate if a user is valid or not. Which would make it quite easy for an attacker to script a variation of usernames and get responses to build up a list of valid ID’s.
The approach I’ve seen used quite well in a number of instances to allow a user to reset their password if they’ve forgotten it, is to ask some qualifying questions to establish the authenticity of the user. Then email them a unique tokenised URL to their registered email address. You can increase security by giving the URL a fixed life of a few hours and ensuring it can only be used once.
Finally, once a user has clicked through the URL and successfully changed their password, email them a confirmation of successful password change.