Web Application Security
Forgotten Password Aug 20 2013 03:21PM
saghar estehghari (s estehghari gmail com)

In the system that I'm currently working on, the users authenticate
themselves using username and password. As this is kind of a secure
file sharing system, each user has a key that is drived from his
password and all of his data and files are encrypted using this key.

Since the password is not kept clear on the database, I face a problem
where the user forgets his password. So it means that if we reset the
password we cannot decrypt his files anymore.

My solution to this problem was generating a certifcate at the
registration time that contains the encrypted password (using the
server's key), and ask them to save it. So when he clicks on "forgot
password " link, the server asks him to provide the certificate. After
verify the certificate, an email with a link for reseting the password
or an sms for a secret code will be sent to the user to verfy that
s/he is the legitimate user or not!

However, I'm not sure about the security of such solution! I was
wondering whether you have any better ideas or any feedback over my


This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus