Why are one time password reset links safer than one time passwords?
This could be fine - after all a password reset email contains a "one time password", albeit one that is really a secret key and based upon a long, pseudo random sequence that is unfeasible to brute force.
Also, this could also mean there is a Denial of Service attack against a legitimate user:
- Attacker goes to website, knows that [email protected] is a user (e.g. through a username enumeration vulnerability).
- Attacker presses to reset Bob's password.
- New temporary, secure password sent to [email protected]
- Bob, without current access to his email now cannot log into the system.
Password reset links do not have this flaw, however minor it may be to the system in question.
If temporary passwords are issued, it would be wise to generate one with at least 80 bits of entropy (the current NIST recommendation), and force the user to change it immediately on login, even if they "force browse" to any other URL in the authenticated section of your website. i.e. it should redirect them back to the change password screen until they do, and it should also make sure that they select a different password.
The other problem you've now got it that if the user does not use the temporary password immediately. You've got a password sitting in cleartext in the user's mailbox, which isn't the best location for password storage. You may have to expire this password somehow, leading to additional complexity in your application. Having separate password reset links simplifies things, as its only the instance of a link itself that expires, not their primary password.
In short, it is much easier and more secure to have a separate password reset mechanism that doesn't touch the user's password until they've confirmed that they can in fact access the mailbox associated to the account.
A one-time password and a reset link could be implemented in such a way that they are functionally equivalent. In practice though, a one-time password is probably slightly more secure.
Consider the following reset link:
https://www.example.com/reset/a93f51cd-ae20-46f8-9575-3d9bfa088e5e
Compared with a one-time password of:
a93f51cd-ae20-46f8-9575-3d9bfa088e5e
The typical workflow for the reset link is:
- Click on the link.
- You are presented with a screen to change your password.
- Enter in your new password, confirm it, save.
The typical workflow for the one-time password is:
- Go to the login page.
- Enter in your username and your one-time password.
- (Behind the scenes your one-time password is now invalidated.) You are presented with a screen to change your password.
- Enter in your new password, confirm it, save.
The reason the one-time password is slightly more secure is, as you pointed out, with the one-time password you still need to know your username, whereas typically a reset link does not require you to enter your username. Also, once you have entered in the one-time password, it likely would be immediately invalidated and can no longer be re-used, whereas a reset link typically can be clicked more than once as long as you don't submit the new password change.
In order to make them functionally equivalent, after clicking the reset link you would have to immediately expire the link, and also ask the user to enter in their username along with their new password. Note that one potential downside to immediately expiring the reset link after the first click is that some email and anti-virus programs will follow links to check for malicious content, and this could expire the link before you get the chance to click it.
I don't know exactly why @Polynomial suggested what he suggested but here is what I think about your confusion.
is it really so bad to send a one-time password in plaintext?
I don't believe so. For a malicious user to misuse this, they would need to have access to your mailbox or as you say, the username. Though username might not always be applicable. If you are sent a password reset link, even in that case the attacker will have to have access to your mail.
The areas where I believe the password reset link wins over the one time passwords is that when you implement one time password, you need to do the following:
- Ensure that the password is changed immediately when the user logs in. What if a user and the malicious user both enter the website simultaneously before the password is reset?
- Limit/throttle the number of invalid requests that can be made at password reset using the one time password. What if an attacker tries bruteforce/dictionary attack on the password reset feature? If you have a one time password reset link, you will not have to worry about them.
Does sending passwords over email in plaintext mean absolute incompetence?
Nope. It's just a different philosophy.