WebApp Sec mailing list archives
Forgotten Password
From: saghar estehghari <s.estehghari () gmail com>
Date: Tue, 20 Aug 2013 17:21:15 +0200
Hi, In the system that I'm currently working on, the users authenticate themselves using username and password. As this is kind of a secure file sharing system, each user has a key that is drived from his password and all of his data and files are encrypted using this key. Since the password is not kept clear on the database, I face a problem where the user forgets his password. So it means that if we reset the password we cannot decrypt his files anymore. My solution to this problem was generating a certifcate at the registration time that contains the encrypted password (using the server's key), and ask them to save it. So when he clicks on "forgot password " link, the server asks him to provide the certificate. After verify the certificate, an email with a link for reseting the password or an sms for a secret code will be sent to the user to verfy that s/he is the legitimate user or not! However, I'm not sure about the security of such solution! I was wondering whether you have any better ideas or any feedback over my solution. Thanks This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Forgotten Password saghar estehghari (Aug 20)
- Message not available
- Re: Forgotten Password saghar estehghari (Aug 21)
- Re: Forgotten Password Amol Arakh (Aug 21)
- Re: Forgotten Password saghar estehghari (Aug 21)
- Message not available