重置密码或提供旧密码的安全方法
处理忘记密码/密码重置的最安全方法是什么?我应该通过电子邮件将密码发送给用户吗?如果是这样,你会强迫他们重置它吗?或者您是否让他们立即重置(不发送电子邮件)并需要一些其他信息来验证是他们本人?或者有更好的方法吗?
What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您无法通过电子邮件将密码发送给用户,因为您不知道该密码。您已通过 应用 PBKDF2 或 bcrypt 之类的东西来存储,对吗?
如果您在未与帐户所有者确认的情况下重置密码,则攻击者可以通过使用受害者的电子邮件地址请求重置来拒绝所有者访问其帐户,至少在他检查电子邮件之前是如此。
对于许多应用程序来说足够安全的方法是将链接通过电子邮件发送给帐户所有者,其中包含一个随机生成的大数字。该令牌应仅在有限时间内有效。如果所有者希望重置密码,他们可以单击该链接,这会将他们验证为帐户所有者。然后,帐户所有者可以指定新密码。
You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?
If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.
A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.
您不应通过电子邮件发送密码。这是我使用过的分步过程:
在设置新密码之前,旧密码应保持有效。不要忘记对密码进行哈希和加盐!
You shouldn't send passwords via email. Here is a step by step process I've used:
Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!
我想你会以编程方式做到这一点?或者是服务器故障的问题?
其中一种方法是将链接发送到用户的电子邮件帐户。他/她点击链接并被重定向到您的安全网络表单,并在其中重置密码。
不要通过电子邮件将密码发送给用户
I suppose you are going to do it programmatically? Or is it a question for Server Fault?
One of the ways is to send a link to the user's email account. He/she clicks on the link and is redirected to your secure web form where they reset the password.
Do NOT email the password to the user