Sign Up

Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.

Sign In

Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

You must login to ask a question.

Please briefly explain why you feel this question should be reported.

Please briefly explain why you feel this answer should be reported.

Please briefly explain why you feel this user should be reported.

Search

Ask A Question

0

Editorial Team

Asked: May 19, 20262026-05-19T12:01:24+00:00 2026-05-19T12:01:24+00:00

I realize that for security that passwords should not be stored in a DB

0

I realize that for security that passwords should not be stored in a DB as plaintext. If I hash them, I can validate them for login purposes.

But if I want to set up a password recovery system, what’s the best strategy since there is no undoing of the hashing?

Could someone give me a brief overview of a good and secure strategy for storing and recovering passwords?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team
2026-05-19T12:01:25+00:00Added an answer on May 19, 2026 at 12:01 pm
You can not recover password that were hashed, neither should you.

What you should do instead is:

Put some verification on the password reset request, like CAPTCHA.

Create an one-time random code and send a link with it to user’s email.

Have this code expire in, say, an hour.

Have this code expire immediately once used.

On the link with the code, if it validates, allow him to change his password.

Notify him that the password was changed, but do not send it in the email.
0

Reply

Share
Share

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on WhatsApp

Report