Ask HN: How to implement password reset without storing email on a server

6 points by dmitryame ↗ HN
Hello all, to address privacy concerns, my application is required not to store any email addresses on a server. Does anybody have any ideas how to implement password reset without sending confirmation email with a reset link in it?

4 comments

[ 2.6 ms ] story [ 28.9 ms ] thread
If you were to require the email address upon registration but instead of storing it in plain-text you store a hash of their email.

When password resetting ask for email, hash and match it against you stored hash.

If matching generate new password and store it, send the generated password to the email input by the user. Though it would likely be preferable to send some form of password-reset-token instead of a password which allows them to change to a new password within X time.

This way you never store their email-address in a usable plain-text.

But if your question was more to alternate methods than email in any form, hmmm, nope, sorry, can't think of any right now that are less invasive on privacy with the same security benefits.

This is the only idea I can think of that would work.

I'd be sure to lowercase it before hashing.

To make sure it's correct make they user type his email address the second time he logs in.
You either store something that you are allowed to store when you have the user authenticated (eg at account creation); or you give the user some secret to hang onto (client certificate, file, something else). You then check their info when they want a reset.

Off the top of my head, I'd probably consider the following options in order of decending useful/goodness: * Ask for the email address at signup, store a hash, then at reset ask for it again and verify that the hash matches * Ask for/store some other allowed information, then verify that the user wants a reset through that (confirmation code): - Eg collect a phone number and do password resets via SMS/call people who want their password reset - Eg collect a domain and require them to publish a file/txt record that has their email address to send a reset * Give the user some token (eg a specific file). If they can provide the token, allow them to change their password * Get the user to authenticate themselves with a client-side certificate or password. Allow reset only when the user's logged in (ie if they have the certificate or previously knew the password) * Ask for/store some other allowed information, then provide the reset link through that (eg twitter DM or FB account)

The exact nature of your application would probably drive what you would want to do reset-wise. If it's for privacy reasons, obviously some of the ideas above wouldn't work (unless there's some legislation that explicitly excludes capturing email addresses).