1. Resetting password
I understand that by design restoring password is impossible and it’s great. Nevertheless, in my opinion there should be an option to reset the account to a virgin state (i.e. delete all existing data and start from 0) if user can confirm that they are them (account reset confirmation link via email). Nowadays, good email providers offer a bunch of protective measures such as 2FA and we can be quite sure that user is the user if they confirm the action by email.
It’s important not only because the Inkdrop subscription is tied to email address but also because many people have just one email address which is very well protected and it’ll be very inconvenient for them to create new one just to use it as their new login to Inkdrop.
2. Changing password
It’s very good security practice to change passwords from time to time. Moreover, sometimes passwords get compromised. Imagine you HAD TO work with your Inkdrop files at your friends Windows PC and later he tells you that he had to bring his PC to workshop because it had some tricky set of viruses and trojans. What will be your first reaction? Right! To change the password. Will Inkdrop have to re-encrypt entire data or just re-encrypt encryption key?
@craftzdog I’d like to hear your opinion about this matter. How do you see the situation?
Hi Alexander, thanks for the question.
First, your notes are not encrypted with your password directly.
Inkdrop generates an encryption key and it’s encrypted with your password while stored on disk.
So your encryption key itself won’t be changed if you change your password. Just re-encrypting the encryption key.
By this design, you always need your password when you login, no matter what.
I guess it’d be rare cases that a user forgot his/her password and would like to reset the account.
If I got a delete request from the registered email address, I could delete the account completely.
@craftzdog And what if I remember the password and just want to change it to a new one? As I understood from your answer by design, it’s not a problem but is this implemented or not?
I just want to say it is NOT a rare case for someone to forget a password.
Right, so the warning is shown at the account registration form.
But it’s a rare case for someone who wish to reset an account.
It should be, though. If you use something like 1Password, LastPass, or another similar password manager you can have long, random, unique passwords for every service you use and never forget them.
I think it’s awesome that Inkdrop passwords cannot be reset. That makes me feel like I can trust if there’s a data breach of some sort, my data will still be safe.