Password Recovery


#1

Hi, the question may sound like opening security hole, but I’m investigating possible solutions for providing some kind of “Password Recovery/Set new password” feature to our users. Our application has a Master/Unique password which user picks and need to remember. Usually, they forget it, and we provide reset feature which forces a user to start over.
Is there a way to set a new password on the database, in the case where the old one is forgotten?

Thanks!


#2

Hi @aleksandarkostic

Thanks for using SQLCipher and posting to the discussion forums.

Is there a way to set a new password on the database, in the case where the old one is forgotten?

No, there’s no way to open a SQLCipher database without knowing the current encryption key, and to be able to change the encryption key, you need to first open the database.

the question may sound like opening security hole

This is correct (that it would open a security hole). You would need to store user’s encryption keys within your own server in order to provide a reset password function, which would greatly reduce the security of your application.

but I’m investigating possible solutions for providing some kind of “Password Recovery/Set new password” feature to our users.

You might consider providing some sort of csv/plain text export method for the user to create a hard copy of their data (to store somewhere secure like a safe) in case their master password is forgotten.

Cheers,
Micah