2dbi

Design a Password Management System

viaLeetCode

Problem Low-level design of a password management system: create/edit credentials, forgot-password with token generation, and configurable password policies — with SOLID structure and justified patterns.

Requirements

  • register/changePassword validating against the active policy; forgotPassword(email) → time-limited single-use reset token delivered via notification; resetPassword(token, newPassword); admin-configurable policies (length, character classes, history, expiry).

Core design

  • Classes: User, CredentialStore (hashed passwords only — bcrypt/argon2 via a PasswordHasher interface), PasswordPolicy as a STRATEGY (interface validate(password) with composable rules — LengthRule, CharClassRule, HistoryRule combined by a CompositePolicy), TokenService (generate cryptographically random token, store hash + expiry + used flag), NotificationService as OBSERVER of password events (reset requested, password changed → email/SMS), PasswordService orchestrating the flows.
  • SINGLETON only where justified (policy registry/config holder) — be ready to defend or reject it (DI container usually beats singleton; saying so is a plus).

Discussion points

  • Security correctness: never store plaintext or reversible passwords; hash reset tokens at rest; constant-time comparisons; rate-limiting attempts; not revealing whether an email exists.
  • SOLID mapping: SRP (hashing vs policy vs orchestration separated), OCP (new policy rules without touching the service), DIP (interfaces for hasher/notifier/store enabling tests).
  • Password-history storage, token race conditions (single-use enforcement under concurrent resets), and policy versioning as probing areas.
Add a follow-up question they asked
No follow-ups yet. Be the first to add one.
asked …
LeaderboardSalary
Language
Account