eriktobben's avatar

Reset password without using email

Hi! I am working on an app where the User will only have a username and password, no email. But I still want to let the user reset the password if they forget it.

I am wondering if this is a good approach, and if there are any security issues with it:

  • When the user creates the account, they are given a recovery key. It is only showed once.
  • The recovery key will be stored in a hashed format on the User model.
  • If the user forgets his pasword he can use the username / recovery key combination to set a new password.
  • The reset password logic will be rate limited.

Does this seem like a good solution, or is there anything I am not thinking about.

Thanks! :)

0 likes
4 replies
Snapey's avatar

technically, yes from a user point of view, no.

Users won't remember that code, and when they contact you for help.... sorry, nothing you can do.

Better that they give YOU something that they know that is unique to them. Ask them to enter 2 or 3 known facts, eg first pets name, first employer, favourite film etc

store the choice they made and the answer (not hashed). Then you can ask them to confirm their recovery items and if they get 2 of three right (for example) then reset their password.

If you don't hash (encrypt or plaintext) then you can have a support dialogue so if its obvious to you that they just forgot how they spelled something then you can reset for them.

eriktobben's avatar

@Snapey Thank you for your response. This application is for a crypto like community, where I don’t want to ask the user for personal information, hence the lack of email.

I was thinking the same approach as if you loose access to your wallet, you only have a set of words or a combination of phrases that will get you back into your wallet.

And since they already keep their wallet recovery key, they might hold on to the recovery key to their user as well?

Snapey's avatar

@eriktobben they don't have to give you real answers ! my favourite colour is usually 'potato'

Don't forget that you are implementing 'forgot password' functionality. If they can't save the password somewhere safe, what hope for their account access key?

eriktobben's avatar

@Snapey Yeah, I see what you mean. Will a three questions reset be considered a good enough solution? There is not much to protect, other than «follows» of other accounts.

Please or to participate in this conversation.