Password Reset Token Issue

The SBA Application enables an end-user to reset or change a password using “Forgot Password” https://certify.sba.gov/users/password/new URL. End-user can change the password for security reasons or reset it if forgotten. The password reset URL contains a token with special characters. Some email clients will decode/encode it differently. As a result, the token is retrieved by the end-user can be different from the one in the SBA Application.  

Verify Token issue 

1. Ask the end-user for the password reset URL 

2. Check the URL contain any non-ASCII characters like %3d, %2a in the URL like the one below 

3. http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe  

4. Go to URL Encode Decode - URL Percent Encoding and Decoding.   

5. Copy and paste the token ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1MnWe on the left box 

6. Remove We at the end of the token “ZgZDcdJ2MeBlJ5K8uzmV4g%3D%3D%2A1Mn” 

7. Click Decode URL 

8. The decoded token will show on the right box ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn 

9. Give the customer the correct token with the URL to reset the password 

10. http://certify.sba.gov/users/password/edit?reset_password_token=ZgZDcdJ2MeBlJ5K8uzmV4g==*1Mn  

11. Confirm with the end-user if the password reset success or failure with the decoded token. 

Email Hosting companies create token issue are:  

1. 1and1.com

2. highway 

End-user requests password reset email. (User must have a valid email on SBA Certify) 

1. Go to https://certify.sba.gov 

2. Click Login (Blue button on the middle of the page)

3. Click Forgot Your Password (Red Button) 

4. Enter a valid email address and click send the instructions button in blue 

5. End-user check his/her email

6. Click the reset URL in the email to reset the password