

Ask HN: How to implement password reset without storing email on a server - dmitryame

Hello all,
to address privacy concerns, my application is required not to store any email addresses on a server. Does anybody have any ideas how to implement password reset without sending confirmation email with a reset link in it?
======
ts-jondin
If you were to require the email address upon registration but instead of
storing it in plain-text you store a hash of their email.

When password resetting ask for email, hash and match it against you stored
hash.

If matching generate new password and store it, send the generated password to
the email input by the user. Though it would likely be preferable to send some
form of password-reset-token instead of a password which allows them to change
to a new password within X time.

This way you never store their email-address in a usable plain-text.

But if your question was more to alternate methods than email in any form,
hmmm, nope, sorry, can't think of any right now that are less invasive on
privacy with the same security benefits.

~~~
mod
This is the only idea I can think of that would work.

I'd be sure to lowercase it before hashing.

~~~
proveanegative
To make sure it's correct make they user type his email address the second
time he logs in.

------
px1999
You either store something that you are allowed to store when you have the
user authenticated (eg at account creation); or you give the user some secret
to hang onto (client certificate, file, something else). You then check their
info when they want a reset.

Off the top of my head, I'd probably consider the following options in order
of decending useful/goodness: * Ask for the email address at signup, store a
hash, then at reset ask for it again and verify that the hash matches * Ask
for/store some other allowed information, then verify that the user wants a
reset through that (confirmation code): \- Eg collect a phone number and do
password resets via SMS/call people who want their password reset \- Eg
collect a domain and require them to publish a file/txt record that has their
email address to send a reset * Give the user some token (eg a specific file).
If they can provide the token, allow them to change their password * Get the
user to authenticate themselves with a client-side certificate or password.
Allow reset only when the user's logged in (ie if they have the certificate or
previously knew the password) * Ask for/store some other allowed information,
then provide the reset link through that (eg twitter DM or FB account)

The exact nature of your application would probably drive what you would want
to do reset-wise. If it's for privacy reasons, obviously some of the ideas
above wouldn't work (unless there's some legislation that explicitly excludes
capturing email addresses).

