allow for password recovery #133
Description
A common thing people do is change their password, then forget it, but still remember their old one.
A useful feature would be to store the previous password (hashed) for 14 days after the password is changed.
When a password is entered, the server would check the main password, but if it doesn't match, it would check the previous password (if applicable).
If the password matches the previous password variable, but not the primary variable, it would send a status code informing the client that the password was valid within the past 14 days, but was changed (time) ago from a (device) in (location). It should not allow the user to log in as then anyone with the previous password can log in which is a security vulnerability.
Obviously, the time, device, and location info will need to come from somewhere other than a status code, for example, stored hashed by the previous password on the API.
I also have a mockup of a popup showing this feature put to use:
When the user contacts [email protected] to change the password, the support person should be able to switch the previous and primary password variables around, making the previous password the primary password. If emails are added in the CL4 port, you should also require a code from an email for added security.