Reputation: 17
password recovery without saving user email
hey there. I'm developing a website and i want to have a password recovery system for the users who lost their password, but i don't want to save the user email address or any private data. i thought of saving a hash of the email address but if the db is compromised one could check if an email address is registered and which account it belongs to. do you have any ideas?
Upvotes: 0
Views: 291
Answers (1)
Reputation: 4334
To protect against the DB being compromised and hashes extracted, just add some random (but constant string) to all email addresses before cashing. E.g. add "BLABLABLA" to turn "[email protected]" into "[email protected]" before hashing. It's still not perfect, but now an attacker needs your DB, your application code, reverse engineer it, and know that that's what he needs to do in the first place (there is no hint in the DB that your application modifies the email address before hashing).
Upvotes: 1
Related Questions
- How to create Forgot password in android?
- Implementing password recovery if users have no email account
- Implement password recovery best practice
- password recovery for drupal
- Good password recovery methods
- Password reset by email without a database table
- Password recovery flow - Send Password recovery to any email?
- Database table for password recovery via email link
- Password Recorevy Without email
- Password Recovery without sending password via email