Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
hey there.
I’m developing a website and i want to have a password recovery system for the users who lost their password, but i don’t want to save the user email address or any private data.
i thought of saving a hash of the email address but if the db is compromised one could check if an email address is registered and which account it belongs to.
do you have any ideas?
To protect against the DB being compromised and hashes extracted, just add some random (but constant string) to all email addresses before cashing. E.g. add “BLABLABLA” to turn “joe@example.com” into “joe@example.comBLABLABLA” before hashing. It’s still not perfect, but now an attacker needs your DB, your application code, reverse engineer it, and know that that’s what he needs to do in the first place (there is no hint in the DB that your application modifies the email address before hashing).