-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DECIDED] Password recover #77
Comments
i think if the user will forget the password they will surely forget the recovery code as well, so going with the optional e-mail link seems to be the only reasonable option |
I should clarify what I mean by "recovery codes." These are a set of onetime use codes that users can download or copy from the settings page. Once it used, you can't use it again. If all codes are used user should generate a new ones |
sounds inconvenient tbh, i think going with the (optional) email would be better |
speaking of, if we are going to use email recovery, it wouldnt hurt to have some kind of privacy policy |
that's one of the reasons i prefer recovery codes |
well, you can do it your way, i just dont think that storing those codes is safe or convenient enough |
in theory, to generate codes we can use striped hash of current password hash and username. Then we don't need to store it anywhere. I don't think it's possible to get password hash without access to database |
i mean storing codes for the user, not for us |
Well, at least github and discord use it as recovery option. Email is better, i agree, but it will be harder to setup than codes. |
well, something is better than nothing for sure, i have no objections then, hopefully we can come up with something better in the future though |
Okay, then discussion is closed, i'll go work on it |
How to implement password recovery without breaking anon ideology?
Current ideas are optional email (if you want to recover password set email where recover message will be sent) and recovery codes (on registration give one time use codes to recover/reset password)
The text was updated successfully, but these errors were encountered: