I'm building a password recovery feature in our app and I would like to send the current password to my user. It seems not possible to reach the password in a microflow and it wouldn't matter, because it's a hashed password. Therefore I need to generate a new password and send this one to the user. But I would like a confirmation that it's absolutely not possible to gain access to the user password, even in a java-action with some magic code.
No it's not possible unless you would brute-force it. Additionally, it would be a security risk sending someone's current password (that people still tend to re-use for several other things) through something like email.
Sebastiaan van den Broek
That would be some security breach. That means that if a hacker gained access to the hashed password he would have hit the goldmine.
Your assessment is true. Generate a new one and send it to the user.