Password Reset Token Issue

The SBA Application enables an end-user to reset or change a password using “Forgot Password” https://certify.sba.gov/users/password/new URL. End-user can change the password for security reasons or reset it if forgotten. The password reset URL contains a token with special characters. Some email clients will decode/encode it differently. As a result, the token is retrieved by the end-user can be different from the one in the SBA Application.  

Verify Token issue 

  1. Ask the end-user for the password reset URL 

  2. Check the URL contain any non-ASCII characters like %3d, %2a in the URL like the one below 

  3. http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe  

  4. Go to https://www.url-encode-decode.com/   

  5. Copy and paste the token ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe on the left box 

  6. Remove We at the end of the token “ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1Mn” 

  7. Click Decode URL 

  8. The decoded token will show on the right box ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn 

  9. Give the customer the correct token with the URL to reset the password 

  10. http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn  

  11. Confirm with the end-user if the password reset success or failure with the decoded token. 

 

Email Hosting companies create token issue are:  

  1. 1and1.com

  2. highway 

 

End-user requests password reset email. (User must have a valid email on SBA Certify) 

  1. Go to https://certify.sba.gov 

  2. Click Login (Blue button on the middle of the page)

  3. Click Forgot Your Password (Red Button) 

  4. Enter a valid email address and click send the instructions button in blue 

  5. End-user check his/her email

  6. Click the reset URL in the email to reset the password