-
Notifications
You must be signed in to change notification settings - Fork 15
allow for password recovery #133
Comments
epic idea |
Updates? |
Updates? @tnix100 cc @MikeDev101 |
|
oooh, nice |
oh, except for the storing previous password thing, but at least email password recovery is working |
Storing the old password hashed by itself would probably work as a backup method. |
@tnix100 Could we possibly store a record of previous password hashes, and clear them out every 30 days? That could make the previous password notice work. |
Relabeled for relevancy. |
Storing them in a separate db collection with a timestamp, we could have a TTL index that auto removes items that have a timestamp greater than 30 days old. |
A common thing people do is change their password, then forget it, but still remember their old one.
A useful feature would be to store the previous password (hashed) for 14 days after the password is changed.
When a password is entered, the server would check the main password, but if it doesn't match, it would check the previous password (if applicable).
If the password matches the previous password variable, but not the primary variable, it would send a status code informing the client that the password was valid within the past 14 days, but was changed (time) ago from a (device) in (location). It should not allow the user to log in as then anyone with the previous password can log in which is a security vulnerability.
Obviously, the time, device, and location info will need to come from somewhere other than a status code, for example, stored hashed by the previous password on the API.
I also have a mockup of a popup showing this feature put to use:
When the user contacts [email protected] to change the password, the support person should be able to switch the previous and primary password variables around, making the previous password the primary password. If emails are added in the CL4 port, you should also require a code from an email for added security.
The text was updated successfully, but these errors were encountered: