Password reset by email without a database table

Posted by jpatokal on Stack Overflow See other posts from Stack Overflow or by jpatokal
Published on 2010-05-03T01:15:35Z Indexed on 2010/05/03 1:17 UTC
Read the original article Hit count: 301

The normal flow for resetting a user's password by mail is this:

  1. Generate a random string and store it in a database table
  2. Email string to user
  3. User clicks on link containing string
  4. String is validated against database; if it matches, user's pw is reset

However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach?

  1. Generate a MD5 hash of the user's existing password
  2. Email hash string to user
  3. User clicks on link containing string
  4. String is validated by hashing existing pw again; if it matches, user's pw is reset

Note that the user's password is already stored in a hashed and salted form, and I'm just hashing it once more to get a unique but repeatable string.

And yes, there is one obvious "flaw": the reset link thus generated will not expire until the user changes their password (clicks the link). I don't really see why this would be a problem though -- if the mailbox is compromised, the user is screwed anyway.

© Stack Overflow or respective owner

Related posts about forgot-password

Related posts about security