Design a Password Management System
viaLeetCode
Problem Low-level design of a password management system: create/edit credentials, forgot-password with token generation, and configurable password policies — with SOLID structure and justified patterns.
Requirements
- register/changePassword validating against the active policy; forgotPassword(email) → time-limited single-use reset token delivered via notification; resetPassword(token, newPassword); admin-configurable policies (length, character classes, history, expiry).
Core design
- Classes: User, CredentialStore (hashed passwords only — bcrypt/argon2 via a PasswordHasher interface), PasswordPolicy as a STRATEGY (interface validate(password) with composable rules — LengthRule, CharClassRule, HistoryRule combined by a CompositePolicy), TokenService (generate cryptographically random token, store hash + expiry + used flag), NotificationService as OBSERVER of password events (reset requested, password changed → email/SMS), PasswordService orchestrating the flows.
- SINGLETON only where justified (policy registry/config holder) — be ready to defend or reject it (DI container usually beats singleton; saying so is a plus).
Discussion points
- Security correctness: never store plaintext or reversible passwords; hash reset tokens at rest; constant-time comparisons; rate-limiting attempts; not revealing whether an email exists.
- SOLID mapping: SRP (hashing vs policy vs orchestration separated), OCP (new policy rules without touching the service), DIP (interfaces for hasher/notifier/store enabling tests).
- Password-history storage, token race conditions (single-use enforcement under concurrent resets), and policy versioning as probing areas.
asked …