无需电子邮件即可恢复密码
我想知道是否有人曾经使用、构建或见过完全在线的密码恢复工具,并且不需要发送某种密码重置电子邮件。
我理解安全问题,并且我完全接受这样的想法:这不是一种安全的处理方式,但我的雇主责成我研究这种类型的解决方案。我感觉我以前用过类似的东西。
我们主要担心的是电子邮件垃圾邮件过滤器抓取丢失的密码电子邮件。如果有关于格式化这些电子邮件的最佳实践,那么发送出去也是一件很棒的事情。
有什么想法吗?
谢谢克雷格
I was wondering if anyone has ever used, built or seen a password recoervy tool that was completely online and didn't require sending some kind of password reset email.
I understand the security concerns and I am completely open to the idea that this is just not a secure way to handle things but I have been tasked by my employer to look into this type of solution. I feel like I have used something like this before.
Our main concern is email spam filters grabbing lost password emails. If there were best practices on formatting these emails that would be a great thing to send over also.
Any thoughts?
THanks
Craig
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
几乎所有安全性都依赖于以下三件事的不同组合
并在给定的可能性水平下使用它们来验证当前交易中的交易对手,是与您签订原始合同的同一方。
实际上,这就是“在线身份”的全部内容 - 现在与我交谈的人是我昨天被介绍给我的人的可能性有多大。
例如,密码是一个共享的秘密,双方都知道并假定拥有该秘密的另一个人就是他们认为的自己的可能性。
这是最简单的一个。
安全问题(母亲的婚前姓名)只是第二个密码,以防您忘记第一个密码。
OpenID 是一种值得信赖的第三方方法。 Stackoverflow 信任谷歌。我尝试登录
stackoverflow 和 SO 将我转到 google。 SO 所看到的只是谷歌回来说“是的,他是”。
然而,与电子邮件渗透相比,OpenID 很少被使用,因此它不能作为恢复选项。
电子邮件密码重置是涉及受信任第三方的直接共享秘密的一个示例 - gmail 受到双方“信任”,因此可以将共享秘密发送到 gmail,并在给定的可能性级别下信任另一方一方将能够访问该共享秘密。
最后密码学可以用作可信第三方。如果我知道你的公钥,我可以“信任”RSA 并通过加密来存储新密码,然后将其放在我的网站上。只有您可以阅读它,因此它可以用作即时在线密码重置。但是 PGP/GPG 的渗透率比 OpenID 差很多,所以这个想法是行不通的 (*)
您需要的是在签订合同时收集的第二个沟通渠道 - 通常是电子邮件,也可能是openid、手机号码或其 GPG 公钥。
但您必须在签订初始合同时收集该频道。
说到手机,我确实在当地的手机商店看到了一款简洁的手机 - 他们给我发了一个随机密码,然后销售助理在手机到达我的手机时输入了密码 - 证明手机所有者在商店并且合规。 (对于给定的可能性水平)。
(*)实际上我认为有一个解决方案 - http://www.itmanagerscookbook.com/Attitude/身份危机.html。正如您所知,尝试表达上述概念是一项持续的努力。
Almost all security relies on varying combinations of the three things below
and using them, for a given level of likelihood, to verify that the counter-party in the current transaction, is the same party with whom you had the original contract.
Really thats all "online identity" is - how likely is it that the person talking to me now is the person I was introduced to yesterday.
For example, a password is a shared secret, that both parties know and assume for a given level of likelihood that the other person with the secret is who they think they are.
Thats the easy one.
The security question (Mother's Maiden name) is just a second password in case you forget the first.
OpenID is a trusted third party approach. Stackoverflow trusts google. I try to login to
stackoverflow and SO passes me over to google. All SO sees is google coming back saying "yes he is".
However, compared to email penetration, OpenID is hardly used, so its not going to work as recovery option.
The email password reset is an example of a direct shared secret involving a trusted third party - gmail is "trusted" by both parties, so one can send a shared secret to gmail, and trust that for a given level of likelihood, only the other party will be able to access that shared secret.
Finally cryptography can be used as a trusted third party. If I know your public key I can "trust" RSA and store the new password by encrypting it then putting it on my website. Only you can read it, so it could work as an instant, online password reset. But the penetration of PGP/GPG is so much worse than that of OpenID the idea is a non-starter (*)
What you need is a second channel of communication that you gather at the time of contract - usually it email, it could be openid, a mobile number or their GPG public key.
But you must collect that channel at the time of making initial contract.
Talking of mobiles, I did see a neat one at my local cellphone shop - they texted me a random password, and then the sales assisstant entered in the password when it arrived at my phone - proving the phones owner was in the shop and compliant. (for a given level of likelihood).
(*) actually I think there is a solution - http://www.itmanagerscookbook.com/Attitude/identitycrisis.html. AS you can tell trying to express the concepts above is an ongoing effort.
我知道的唯一安全的选择是在安全问题之后提供密码重置页面(母亲的婚前姓名,但最好是用户可配置/更安全的内容)。
The only safe alternative I'm aware of is offering a password reset page after a security question (mothers maiden name, but preferably something user configurable/safer).