从可用性角度来看,实现密码恢复的最佳方法是什么?

发布于 2024-09-12 19:38:36 字数 154 浏览 26 评论 0原文

我阅读了有关 SO 的其他密码恢复问题,似乎大多数人都认为发送只能使用一次并在几天后过期的密码恢复链接是最安全的。

现在我的问题是,(我知道这是主观的,但我正在寻找您可能从用户那里收到的输入)

这对用户来说也相当舒适吗?我所说的用户是指你的祖母,而不是你的同事。

I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure.

Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)

Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

日记撕了你也走了 2024-09-19 19:38:36

作为用户,我喜欢可以选择自己选择的新密码,然后向我发送激活邮件,提供可点击的链接以使新密码生效。

我不喜欢向我发送新的一次性密码,让我登录并在我的个人资料中编辑它。

不过,最棒的是可以使用 OpenID 登录,因此我根本不需要保留任何密码。

As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.

I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.

Best of all, though, is to have OpenID login, so I don't have to keep any password at all.

蓝颜夕 2024-09-19 19:38:36

有什么比单击激活链接并输入新密码更简单的呢?

What can be simpler than clicking an activation link and entering a new password?

十年九夏 2024-09-19 19:38:36

在访问控制、可用性或安全性方面,您的网站的重点是什么?

如果它的可用性那么也许以纯文本形式存储密码并允许根据请求将它们发送到注册的电子邮件地址就足够了,并且可能比更安全的替代方案更有用。

如果安全是答案,那么陷门编码和密码重置是更好的选择。

What is the focus of your site when it comes to access control, usability or security?

If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.

If security is the answer then trapdoor encoding and password reset is the better option.

昔梦 2024-09-19 19:38:36

根据经验,我建议如下:

  1. 用户填写“忘记密码”表格,该表格会向他们发送一封电子邮件。
  2. 该电子邮件(至少)包含密码重置链接。
  3. 如果他们点击链接,就会收到一个随机生成的新密码。 (为了清楚起见,混合了上/下字母和数字负 0、o、1、i 等。)

虽然从纯粹的可用性角度来看这可能并不理想(在理想的世界中,您不必拥有首先是密码,让我们面对现实吧),但它确实会尝试确保您执行合法的密码重置。

或者(或者确实与上述结合使用),您可以允许用户存储一个简单的密码提醒文本字符串,该字符串也出现在第一封出站电子邮件中。 (如果他们在这个阶段意识到密码是什么,他们可以简单地输入密码,而不必执行重置。)但是,我不建议在网站本身上输出此密码,因为它可能是一个太强的线索。

Based on experience, I'd recommend the following:

  1. The user fills in a "forgotten password" form which sends them an email.
  2. The email contains (at least) a password reset link.
  3. If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)

Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.

Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.

沧桑㈠ 2024-09-19 19:38:36

从可用性角度来看?如果连续三次登录失败,则假设他们确实忘记了密码,无论如何都让他们登录并提示更改密码。

我见过的针对低安全性帐户的最佳系统之一是邮寄链接。用户无需记住站点 URL、用户名或密码。该网站无法了解用户在管理密码方面的任何弱点。

From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.

One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文