please verify or explain how to do this properly.
I'm letting a user create keys from the client through a secure server.
I ask the user for a password on the client, then send the hashed password to the server. The server generates fresh keys and encrypts them with the password hash + the generated verification key. The encrypted keys are saved on the server. I return the verification key to the client (Probably should encrypt this with the password hash as well, right?)
When the user needs to access their address to make a transaction or sign something, they must send the verification key and their password hash.
These keys and addresses are intended to be short-lived or one-time-use. However, I'm concerned that a user may forget their password and want to let them verify correctness before choosing a key to use. So, my plan is to save a hash of their password hash on the client database to confirm their password is correct before presenting them with an address to fund.
Is this sound and secure? What extra steps could I take to harden the process? If I'm wrongly reinventing a wheel, kindly suggest a protocol to follow.
Thanks for any attention and guidance!
