Password reset by email without a database table

Posted by jpatokal on Stack Overflow See other posts from Stack Overflow or by jpatokal
Published on 2010-05-03T01:15:35Z Indexed on 2010/05/03 1:17 UTC
Read the original article Hit count: 298

Filed under:

forgot-password

|

security

|

best-practices

|

reset

The normal flow for resetting a user's password by mail is this:

Generate a random string and store it in a database table
Email string to user
User clicks on link containing string
String is validated against database; if it matches, user's pw is reset

However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach?

Generate a MD5 hash of the user's existing password
Email hash string to user
User clicks on link containing string
String is validated by hashing existing pw again; if it matches, user's pw is reset

Note that the user's password is already stored in a hashed and salted form, and I'm just hashing it once more to get a unique but repeatable string.

And yes, there is one obvious "flaw": the reset link thus generated will not expire until the user changes their password (clicks the link). I don't really see why this would be a problem though -- if the mailbox is compromised, the user is screwed anyway.

© Stack Overflow or respective owner

Related posts about forgot-password

Forgot password using ASP.Net membership provider?

as seen on Stack Overflow - Search for 'Stack Overflow'
Is it possible to implement a "forgot password" using ASP.Net membership provider? Any sample link is appreciated. Thanks >>> More
Sending forgot password emails

as seen on Stack Overflow - Search for 'Stack Overflow'
I am building a service that will have a 'forgot my password' feature. In addition to that, it will also email users when results are ready from my service. I would like to ensure delivery of my emails so I was looking around to find a service that would let me send emails. All that I've been able… >>> More
Windows Recovery Console - forgot password

as seen on Super User - Search for 'Super User'
I upgraded to Windows XP SP3, which immediately "broke" the laptop - it never booted with SP3 on it. I put in the Windows XP install disk I had originally used to set up the laptop, and it ran for a while, then said there's no hard disk present, so it can't continue. BIOS still sees the hard disk… >>> More
Forgot password to development database

as seen on Server Fault - Search for 'Server Fault'
I've created a database using terminal while following along with a tutorial. Although I had a lot of trouble getting the databases to install. Now after finally getting it to work I changed a few things, actually just the name of the database using the rake command to just "next". The password… >>> More
Design an api using rails and change the forgot password functionality

as seen on Stack Overflow - Search for 'Stack Overflow'
I have been using rails for developing web applications and now i need to do design an api for iphone application and since i used respond to json it also produces json but i use devise for authentication in my web application and when i send email and password along with the api it gives out … >>> More

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More