Python for Entrepreneurs Transcripts
Chapter: Sending and receiving email
Lecture: Introduction to password resets

Login or purchase this course to watch this video and the rest of the course contents.
0:03 You will be understandably eager to launch your web app as soon as possible.
0:08 And, to do so, you are going to need to cut corners.
0:12 However, you should know which corners you maybe shouldn't cut.
0:16 One of these is actually implementing some sort of
0:19 "I forgot my password" mechanism in your web application.
0:22 Users will forget their passwords, it's surprising,
0:26 the first time I launched some app that had many users
0:29 and they had to create an account and log in,
0:31 I was fortunate enough to have put this "reset your password" feature in there
0:37 and have analytics that I could watch in real time, what people were up to.
0:40 And, within like the first half hour, somebody reset their password,
0:44 how could they have forgotten they password in half an hour?
0:47 I have no idea, but, they must have had some sort of trouble logging in,
0:50 so they came and they reset their password.
0:52 And they logged in and everything was great for them.
0:54 So I just want to point out that you are going to need this probably sooner than you think
0:58 and you are definitely going to need it along the way.
1:01 You can't look at somebody's information in the database
1:04 and know their passwords, so you can't help them.
1:06 If they send you a message and say hey I forgot my password, can you help me out,
1:10 like got to the forgot your password, that is how I help you out.
1:14 Alright, so we are going to talk about the mechanics
1:18 and features of this "reset your password" flow.
1:22 We actually have almost everything we need already in place, so it's not too much work,
1:26 so I'll take you through it.
1:28 Now, before we build this in code, let's talk about the keys
1:31 to a good password reset process.
1:34 There is a couple of things you want to be really careful about,
1:36 first of all, most importantly, this should not be guessable.
1:41 Here is two possible URL schemes,
1:44 which of course derive the underlined database schema,
1:48 here at the top one, if I want to reset my password at Talk Python To Me,
1:53 I could do this, I could say account/reset/some big alphanumeric string
1:59 that is very hard to guess.
2:01 Or, I could use an auto-incrementing id type thing,
2:05 password reset one, password reset two, if you got to reset your password
2:09 and you see you are 1214, there is a good chance that you want to see
2:15 what is at 1216, or 11 or whatever, right, if this is guessable, it's really a bad idea,
2:23 you could possibly find somebody else's unused reset,
2:26 set their password and log in to their account, that would be super bad.
2:31 So, make sure this is not guessable.
2:34 We'll see that Python and SQLAlchemy make this super easy to do
2:37 but you want to just keep in mind.
2:39 These resets shouldn't last forever, they could last for a while,
2:42 a day, a week something like that, but you shouldn't have them lying around forever.
2:46 Just because they are harder to guess,
2:48 you don't want unused reset hanging on your system that people could potentially
2:52 come along and discover somehow, find and mess with, right?
2:56 So, they shouldn't be around forever, they should expire,
2:59 so again, we'll talk about how to do that in the schema.
3:03 They also should not be able to be used twice,
3:06 once you've used your reset password, if you need to reset your password again,
3:09 just go through the process again.
3:11 And finally, this one is a little more nuanced, consider how sensitive it is,
3:15 whether somebody could use the password reset,
3:18 to discover if somebody is registered at a site.
3:22 So if you have some silly simple little web app
3:26 that lets you like favour poets on your forum,
3:29 understanding whether an account is registered there is probably not a big deal.
3:34 On the other hand, if you are somewhere that knowledge of even using the account,
3:41 even the existence of an account is super sensitive,
3:44 like Ashley Madison, which was an adult website for people specifically who are married,
3:50 who have affairs, now, suppose somebody comes along,
3:57 they are concerned that maybe their spouse has created an account there,
4:02 they could go to the password reset thing and just enter their spouse's email address
4:06 and it goes great we've found your account and sent you an email,
4:09 they don't actually care whether they get the email,
4:12 they don't care whether they can reset the password
4:15 but they've used this reset password process to learn something very bad
4:19 about their spouse, that their spouse is registered at this affair site.
4:23 how you respond when somebody submits one of these password reset forms
4:26 may somewhat be determined by
4:30 how sensitive it is knowing some account exists here,
4:34 similarly, if it's like say banking of some sort,
4:37 somebody could take a set of credentials,
4:40 like LinkedIn had millions of accounts stolen,
4:44 Yahoo had like nearly a billion accounts stolen,
4:48 some ridiculous number of emails stolen.
4:52 You could take those and then just replay those against like your reset password
4:56 over and over and over, and then figure out what the response is
5:00 and go oh it looks like these 200 accounts are registered,
5:04 now let's try to go and guess their passwords and try to break into them.
5:09 So there is all sorts of reasons knowing whether or not an account is registered,
5:12 may or may not be a big deal.
5:15 On my website, I store absolutely no credit card data, no billing information,
5:20 no addresses, just email, password and access to the courses,
5:24 so I am less concerned about leaking that information than if I were a bank
5:29 or some sort of adult site type of thing.