|
|
|
|
|
|
by ts-jondin
4169 days ago
|
|
|
If you were to require the email address upon registration but instead of storing it in plain-text you store a hash of their email. When password resetting ask for email, hash and match it against you stored hash. If matching generate new password and store it, send the generated password to the email input by the user. Though it would likely be preferable to send some form of password-reset-token instead of a password which allows them to change to a new password within X time. This way you never store their email-address in a usable plain-text. But if your question was more to alternate methods than email in any form, hmmm, nope, sorry, can't think of any right now that are less invasive on privacy with the same security benefits. |
|
|
I'd be sure to lowercase it before hashing.