Python for Entrepreneurs Transcripts
Chapter: Sending and receiving email
Lecture: Introduction to password resets

Login or purchase this course to watch this video and the rest of the course contents.
0:03 You will be understandably eager to launch your web app as soon as possible. And, to do so, you are going to need to cut corners.
0:13 However, you should know which corners you maybe shouldn't cut. One of these is actually implementing some sort of
0:20 "I forgot my password" mechanism in your web application. Users will forget their passwords, it's surprising,
0:27 the first time I launched some app that had many users and they had to create an account and log in,
0:32 I was fortunate enough to have put this "reset your password" feature in there
0:38 and have analytics that I could watch in real time, what people were up to. And, within like the first half hour, somebody reset their password,
0:45 how could they have forgotten they password in half an hour? I have no idea, but, they must have had some sort of trouble logging in,
0:51 so they came and they reset their password. And they logged in and everything was great for them.
0:55 So I just want to point out that you are going to need this probably sooner than you think and you are definitely going to need it along the way.
1:02 You can't look at somebody's information in the database and know their passwords, so you can't help them.
1:07 If they send you a message and say hey I forgot my password, can you help me out, like got to the forgot your password, that is how I help you out.
1:15 Alright, so we are going to talk about the mechanics and features of this "reset your password" flow.
1:23 We actually have almost everything we need already in place, so it's not too much work, so I'll take you through it.
1:29 Now, before we build this in code, let's talk about the keys to a good password reset process.
1:35 There is a couple of things you want to be really careful about, first of all, most importantly, this should not be guessable.
1:42 Here is two possible URL schemes, which of course derive the underlined database schema,
1:49 here at the top one, if I want to reset my password at Talk Python To Me, I could do this, I could say account/reset/some big alphanumeric string
2:00 that is very hard to guess. Or, I could use an auto-incrementing id type thing,
2:06 password reset one, password reset two, if you got to reset your password and you see you are 1214, there is a good chance that you want to see
2:16 what is at 1216, or 11 or whatever, right, if this is guessable, it's really a bad idea, you could possibly find somebody else's unused reset,
2:27 set their password and log in to their account, that would be super bad. So, make sure this is not guessable.
2:35 We'll see that Python and SQLAlchemy make this super easy to do but you want to just keep in mind.
2:40 These resets shouldn't last forever, they could last for a while, a day, a week something like that, but you shouldn't have them lying around forever.
2:47 Just because they are harder to guess, you don't want unused reset hanging on your system that people could potentially
2:53 come along and discover somehow, find and mess with, right? So, they shouldn't be around forever, they should expire,
3:00 so again, we'll talk about how to do that in the schema. They also should not be able to be used twice,
3:07 once you've used your reset password, if you need to reset your password again, just go through the process again.
3:12 And finally, this one is a little more nuanced, consider how sensitive it is, whether somebody could use the password reset,
3:19 to discover if somebody is registered at a site. So if you have some silly simple little web app that lets you like favour poets on your forum,
3:30 understanding whether an account is registered there is probably not a big deal.
3:35 On the other hand, if you are somewhere that knowledge of even using the account, even the existence of an account is super sensitive,
3:45 like Ashley Madison, which was an adult website for people specifically who are married, who have affairs, now, suppose somebody comes along,
3:58 they are concerned that maybe their spouse has created an account there,
4:03 they could go to the password reset thing and just enter their spouse's email address and it goes great we've found your account and sent you an email,
4:10 they don't actually care whether they get the email, they don't care whether they can reset the password
4:16 but they've used this reset password process to learn something very bad about their spouse, that their spouse is registered at this affair site.
4:24 how you respond when somebody submits one of these password reset forms may somewhat be determined by
4:31 how sensitive it is knowing some account exists here, similarly, if it's like say banking of some sort, somebody could take a set of credentials,
4:41 like LinkedIn had millions of accounts stolen, Yahoo had like nearly a billion accounts stolen, some ridiculous number of emails stolen.
4:53 You could take those and then just replay those against like your reset password over and over and over, and then figure out what the response is
5:01 and go oh it looks like these 200 accounts are registered, now let's try to go and guess their passwords and try to break into them.
5:10 So there is all sorts of reasons knowing whether or not an account is registered, may or may not be a big deal.
5:16 On my website, I store absolutely no credit card data, no billing information, no addresses, just email, password and access to the courses,
5:25 so I am less concerned about leaking that information than if I were a bank or some sort of adult site type of thing.

Talk Python's Mastodon Michael Kennedy's Mastodon