Forgot my password for secure database

85 views Asked by At

I created a database structure in which a user gets a public and a private key to access information, the public key is uploaded to the database and the private key is encrypted with the users password so I let he can access it. To implement a "Forgot my Password" in this structure an email would have to be sent to the Unser, which provides the option to encrypt the private key with a new password. I thought about storing all private keys somewhere else but that would compromise the entire security, because I don't want the private key or the password stored anywhere in the database. So the problem that I'm having now is that I don't have access to the private key without the original password, so how would I be able to let the user re encrypt it with a new password.

2

There are 2 answers

12
Dherik On BEST ANSWER

You don't need the original password to add the option for the user change the password. And is very dangerous create a way to recover the original passoword of the user. If I was you, I would use some hash algorithm, like SHA-256, and store the result as the password of the user.

Well, returning for the question, one way to accomplish this password user change is create a UUID in your User table. When the user try to change his password, you redirect him to a page with this UUID in the link. This UUID works as a temporary key that permit the user change his password.

Per example.

Table: User

id | name | UUID
1  | John | f39a33c3-e7f5-455a-afad-dcf845eb04a1

When the user wants to change the password, you send a link for his e-mail:

http://yoursite.com/recover-password?UUID=f39a33c3-e7f5-455a-afad-dcf845eb04a1

So, when the user enter the new password in the page and submit the informations, you get this UUID and validate if it's really the UUID generated for the user. So, the password change can happen.

1
AudioBubble On

The simplest way to achieve this is to decrypt the private key with current password and re-encrypt it with new password and then update the new password in the database.