M.facebook.com Recover Initiate Reset Password
Roseanne Gennett
If a hacker has changed your Facebook account password and the associated email, you might think all hope is lost. However, there are still ways to retrieve your Facebook account. Even if the hacker has added a Two-Factor Authenticator or your account has been disabled, you can still recover your Facebook profile.
Do you want to recover an old Facebook account that you can no longer access? If you've forgotten your login or password, or if you deactivated your account, getting your old Facebook back is easier than you'd think. The steps are a little different if your account was disabled for a violation, but you can still get back in by appealing Facebook's decision. This wikiHow guide will show you simple ways to reopen your old Facebook account.
When I was in the Air Force the security rule we had was: When setting or resetting passwords, do not send the user id and the password in the same email. That way, if someone is intercepting emails snooping for passwords, he has to successfully intercept BOTH emails, and be able to connect them, to breach security.
I've seen a lot of sites that use the "go to this URL to reset your password". Maybe I'm missing something -- I don't claim to be a security expert -- but I don't see how that is any more secure than just inventing a new, temporary password and sending it. If a hacker intercepts the email, why can't he go to that link and see the new password as well as the legitimate user could? It looks to me like extra hassle for the user with no security gain.
As for recover solutions, I find that the recovery link to change the user's password is the best solution in my experience. It will probably be a bit more convenient for the user, while being largely the same from a security point of view as sending a new random password to be changed after next login. I'd still recommend having the recovery url expire after a reasonable short period of time, as well as only being usable a single time.
Hard to say what you should do, as pretty much any solution to this problem will weaken security. Unless maybe you want to investigate sending an SMS, callback verification, one-time password generators, or other such schemes that take password recovery to a different medium.
Obviously, you can't send the original password by email, because you're not storing it (right?!). Sending a temporary password (that must be changed, because it only works for one login), and a link to reset the password are equivalent from a security point of view.
Why is sending a token any more secure than sending the password? If an email account has been hacked, it's been hacked. It doesn't matter if there is a link to reset the password, a token, or a new password. Don't forget, most sites don't say "The new password has been sent to the following email address for you to hack into". A hacker would need to guess the email address that needs to be hacked.
I agree with Andy. Aren't security questions normally independent of the password? (mine are) Meaning they have a question and an answer and aren't related to the password. It seems like this is used to prevent spurious password reset requests and actually does have a use.
Imagine - someone could go to a site's "forgot password" utility and enter a zillion email addresses - or just one person they want to annoy. If the password is reset at that point, the people belonging to those email addresses would have to then notice in their email the password reset and login to the site with the reset password next time they went there. With the security question, this isn't as easy for someone to do.
I see Amazon sends a link to the given email. They also require you to enter a captcha to prevent DOS attacks. Because it's a link, I imagine that means they did not reset the password immediately and it would be reset once the user clicks the link. With the scenario above, the user would just see the email and note that "no I didn't do that" and go about their business not having to change their password needlessly. A security question might have prevented the attempt at the beginning and the legit user from getting the email in the first place.
It really comes down to how much security you want to have. One the one end of the extreme is a password reset process that involves contacting and certifying that you are who you claim to be, e.g. via id, because your mailbox could be compromised as well. Actually, as people tend to use the same password everywhere this is very likely. On the other end there is the standard approach that involves just sending out an email with a random new password.
The user requests a password reset by providing their email and filling out captcha. A random hashed value is generated for their retrieve_token field - i.e. md5($user_id.time()), while retrieve_expiration will be set to a datetime that expires in next 45 minutes. Email is sent out to the user with a link:
@Jay. The reason why you go to a URL to reset your password instead of just sending someone a new temporary password is more than just security. Without something like a URL with a token, a person could reset another persons password. There is no need to gain access to the email. If someone had a bone to pick with someone, they could just keep initiating a new password reset. Then the poor target has to logon and change the password again and again.
By sending a token, the user's password does not change until they login with it and confirm it. The spam of reset emails can be ignored. Tokens are just as easy (if not easier) to generate as a new password by using a GUID, it's not really extra hassle for the developer.
Also, because the GUID is unique (a generated password might not be), a token can be tied to a username. If the incorrect username is given on the URL, then the token can be cancelled (i.e. when a different person initiates it and someone intercepts it.. assuming that the username isn't the same as the email).
@Jay. The proper use of security questions is to initiate a password reset email, not for actually resetting the password. Without a mechanism such as a security question, one could initiate a password reset. Althought seemingly beign, sending a reset email could be sent to an email that might no longer belong to the original owner. This is not rare. For example, when employees leave a company, often those mails are forwarded to another employee. A security question, adds a low level of obfucation to that scenario. It also reduces issues where one person keeps initiating a password reset on the wrong account causing some poor sod to get unintentionally spammed. Security question are really not meant to be truely secure, they are just meant to reduce scenarios such as those. Anyone using a security question to actually reset the password is doing it wrong.
Consider this situation: A user of your site has left his desk to go to lunch and didn't lock his workstation. A nefarious user can now visit the page for recovering/resetting password and enter the user's username. The system will then email the recovered/reset password without prompting for the security answer.
Here's an example of how someone did it with Node.js, basically generate a random token, an expiry time, send out the link with the token attached, have a reset/:token route that ensures a user exists with that token (which is also not expired) and, if so, redirect to a reset password page.
When you go through the process of sending a photo of your ID to be verified and you receive the email from Facebook confirming your ID is accepted with a link to reset your password, DO NOT CLICK THE LINK IN THE EMAIL!!!! Instead, follow the instructions further down in the email which says something along the lines of
Hi Shelley whats happened to you is word for word whats happened to me since 5th of june , i have an oculas attached to my fb as its my daughters so im going down that route and contacted ico.org to report fb for data protection breech as after submitting my passport i still cant access the account due to needing a login code but then it says i can reset my password and shows me my new email address and underneth the hackers totally breaching my security its disgusting ,i also have written to fb ireland and was told by ico .org that they have 8 weeks to reply ,i will try everything to get my account bk its 13 years old and has all my late fathers pictures on i dont have now,i feel paranoid everyday and scared as i already have severe anxiety i just feel targeted ,i reported the hacking to action for fraud too which everyone should do as thats what there for ,ive sent my passport repeatedly since and now its not recognised and sends me an instant message to my email bk saying they cant accept it ,honestly feel im going around in circles
That is the same thing for me as well. Got back to me twice to reset password, but ignore my request to bypass the 2 step authentication the hacker put on. There should be something for that on the list of issues we have to check off. So many with the same problem.
Hi I had some anxiety on my PC and set up a facebook code via Microsoft Authenticator app as extra security after putting in password,to my horror I reset my phone and the codes i had were lost. In saying this I do have some strong suspicions due to other security issues ive had that efforts have been made from possible hackers i do not get my account back,however I know my facebook account has not gone as I still get friend updates via email. Ive contacted Oculus support but I doubt them like everything else at the moment. I get responses from facebook I can not use this feature anymore as ive sent passport national insurance number and any other desperate measure I can think of. I could write a sadistic horror fim with facebook team getting a huge pleasure out of having absolute power and an ego trip. I am exempt from work on medical grounds and mentally I have been really stretched this past six weeks
If this happens to you, the first step is to use this link ON YOUR PHONE - facebook.com/login/identifyHere, you will attempt to login and will be asked a series of questions about what email or phone you have access to. Most likely it will be none of them. At which point, near the last screen, you will select, "choose another way to authenticate". This will prompt you to enter an email address that you can access and upload your drivers license. When taking the photo of the ID, make sure the ID is on a dark background with all 4 corners visible. Once submitted, the message indicates a response within 48 hours. Continue the above process 5-7 times per day at different times. You will likely receive emails saying that your ID couldn't be verified. Keep submitting. At some point, you will receive an email stating, "Thank you for submitting your ID, to recover your account use the link below or login using the included password". There is a 50/50 chance this will get you back into your account. DO NOT USE THE LINK. Instead, copy the provided password and attempt to login to your account. There are two outcomes here.
e2b47a7662