password recovery (forgot password feature in Flask)

Hi

TL:DR As Andreas mentions you will be unable to retrieve the password once hashed, A recommended method is to use an existing tried and tested plugin which will handle these security issues for you such as:

• stormpath
• flask-user

If your interested in the actually workflow then::

• User visits password reset page which asks them for their email
• the app authenticates the email address and sends them an email containing a one use password reset string.
• This password reset string is stored in a password_reset column within the database, usually on the users table along with an expiration time (usually set to 2hours after the email is sent)
• The user receives the email containing a link formatted: www.yourapp.com/password_reset/<random password reset string>/<user_id>
• Upon visiting this page the application authenticates the user_id and then checks the reset string against that stored along with the expiration time.
• if they are authenticated the user is presented with a new password form, which will update the users password.

While this allows the user to easily regain access to the account, there are a number of security issues that a developer needs to be aware of:

• The string needs to be random, and unlikely to be easily replicated - isDangerous can accomplish this
• By informing a user that an email is not recognised, an attacker can easily generate a list of recognised emails and then attack the login page with a rainbow table of possible passwords until they eventually gain access to the app.

Hope this helps Bob