DEV Community

loading...

Discussion on: A good reason not to use OAuth only accounts in your apps

Collapse
exadra37 profile image
Paulo Renato

I don't see a need for websites to keep your email or username in clear text... I prefer to store them hashed, just like we do with passwords.

This way a compromised database with username, email and password is not that useful to an hacker regarding this specific hashed data.

Thread Thread
bgadrian profile image
Adrian B.G.

So how do you propose to reset your password? or how would they contact you?

Thread Thread
exadra37 profile image
Paulo Renato • Edited

No need to contact me, they just need to provide the email and everything will work as usual.

When they provide the email it is hashed as if it was to store in the database and then you try to find that hash in the database and on success you send an password recovery email.

The only limitation here is the user cannot recover the password by using only the username, it must provide always the email.

Thread Thread
bgadrian profile image
Adrian B.G.

There are many needs to contact you, from legal reasons to subscriptions, payments, notifications even data breaches alerts. If you have a customer you need to have its contact details.

Its common sense and most of the time a legal obligation.

Thread Thread
rhymes profile image
rhymes Author

So I can login into your account anytime because I know your email?

Thread Thread
exadra37 profile image
Paulo Renato • Edited

@BG Adrian

If you have legal obligations to keep or really need it for contact purposes then yes you would need to keep it in plain text.

Bu if you only need it for login purposes or to send notifications while the user is logged in then you can store the emails as an hash in the database.

@rhymes

If you can login into my email account then you can, otherwise you can't.

When I said that would work as usual I am referring to the normal process of recovering a password where an email is sent to your email account with a unique link that normally also as a short expiration time.

Thread Thread
rhymes profile image
rhymes Author

Ok sorry, I misunderstood,I was thinking of passwordless logins.