Is your feature request related to a problem? Please describe.
Upon db leakage, attacker can obtain hashed emails of users from db.
Describe the solution you'd like
User should be able to choose upon registration if He should be able to reset password in the future with secret code sent to his email address, or just use his email address.
Describe alternatives you've considered
Registration via email address only.
User story
User creates a new account
User is being asked is He wants to reset passwords in future with email or secret code
User chooses secret code
User is being asked to provide an email address
Server generates secret code and sends the email to the user, server won't save email to db
User forgots a password
User enters LokIM
User clicks "I forgot password" button
User is being asked to choose password reset option.
User chooses secret code.
User is being asked for secret code
User types secret code in
LokIM asks user to enter a new password 2 times.
User can use new password to log in.
Additional context
Secret codes should be contained in the same key as email address in db, so attacker won't know if the user has email address there or secret code.
Secret codes should be hashed with different hash algorithm than email, to avoid using victim's email address as secret code.
Is your feature request related to a problem? Please describe. Upon db leakage, attacker can obtain hashed emails of users from db.
Describe the solution you'd like User should be able to choose upon registration if He should be able to reset password in the future with secret code sent to his email address, or just use his email address.
Describe alternatives you've considered Registration via email address only.
User story
Additional context