Ask HN: How to implement password reset without storing email on a server
Hello all,
to address privacy concerns, my application is required not to store any email addresses on a server. Does anybody have any ideas how to implement password reset without sending confirmation email with a reset link in it?
4 comments
[ 2.6 ms ] story [ 28.9 ms ] threadWhen password resetting ask for email, hash and match it against you stored hash.
If matching generate new password and store it, send the generated password to the email input by the user. Though it would likely be preferable to send some form of password-reset-token instead of a password which allows them to change to a new password within X time.
This way you never store their email-address in a usable plain-text.
But if your question was more to alternate methods than email in any form, hmmm, nope, sorry, can't think of any right now that are less invasive on privacy with the same security benefits.
I'd be sure to lowercase it before hashing.
Off the top of my head, I'd probably consider the following options in order of decending useful/goodness: * Ask for the email address at signup, store a hash, then at reset ask for it again and verify that the hash matches * Ask for/store some other allowed information, then verify that the user wants a reset through that (confirmation code): - Eg collect a phone number and do password resets via SMS/call people who want their password reset - Eg collect a domain and require them to publish a file/txt record that has their email address to send a reset * Give the user some token (eg a specific file). If they can provide the token, allow them to change their password * Get the user to authenticate themselves with a client-side certificate or password. Allow reset only when the user's logged in (ie if they have the certificate or previously knew the password) * Ask for/store some other allowed information, then provide the reset link through that (eg twitter DM or FB account)
The exact nature of your application would probably drive what you would want to do reset-wise. If it's for privacy reasons, obviously some of the ideas above wouldn't work (unless there's some legislation that explicitly excludes capturing email addresses).