The normal flow for resetting a user’s password by mail is this:
- Generate a random string and store it in a database table
- Email string to user
- User clicks on link containing string
- String is validated against database; if it matches, user’s pw is reset
However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach?
- Generate a MD5 hash of the user’s existing password
- Email hash string to user
- User clicks on link containing string
- String is validated by hashing existing pw again; if it matches, user’s pw is reset
Note that the user’s password is already stored in a hashed and salted form, and I’m just hashing it once more to get a unique but repeatable string.
And yes, there is one obvious “flaw”: the reset link thus generated will not expire until the user changes their password (clicks the link). I don’t really see why this would be a problem though — if the mailbox is compromised, the user is screwed anyway. And there’s no risk of reuse, since once the user’s password is changed, the reset link will no longer match.
To remedy the
obvious flaw, add the current date (and more time-related info representing current fraction of a day if even a day is too long) to what you’re hashing to generate the mystery string and check it — this makes the string “expire” (you may check the previous as well as current date or fraction if you want longer “expiry”). So it seems to me that your scheme is quite viable.