david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Using crypto to replace database access. February 2015

A pretty fresh article on how you could use crypto to replace a lot of complicated schemes you might use on your website like password reset or mail confirmation:

https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/

tl;dr: instead of creating a table for tokens, you could create the password reset url like this:

http://www.example.com/password_reset/?user=username&expires=15649848949849&[email protected]&token=

and at the place of the token you would put the output of a MAC. Checking the MAC again after receiving the url would confirm that YOU created that url and it has not been modified. Remember, MAC provides integrity and authentication. The author also provides a way to only render this usable once: use the original hashed password as a nonce.

Well done! You've reached the end of my post. Now you can leave me a comment :)