Forgotten Password

[saghar estehghari <s.estehghari () gmail com>]

Hi,

In the system that I'm currently working on, the users authenticate
themselves using username and password. As this is kind of a secure
file sharing system, each user has a key that is drived from his
password and all of his data and files are encrypted using this key.

Since the password is not kept clear on the database, I face a problem
where the user forgets his password.  So it means that if we reset the
password we cannot decrypt his files anymore.

My solution to this problem was generating a certifcate at the
registration time that contains the encrypted password (using the
server's key), and ask them to save it. So when he clicks on "forgot
password " link, the server asks him to provide the certificate. After
verify the certificate, an email with a link for reseting the password
or an sms for a secret code will be sent to the user to verfy that
s/he is the legitimate user or not!

However, I'm not sure about the security of such solution! I was
wondering whether you have any better ideas or any feedback over my
solution.

Thanks



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------