帐户激活的安全性如何?
我正在 Django 中从头开始编写帐户激活过程,这是我的基本思维过程:
创建一个模型,
class UserAccountActivation(models.Model):
lock = models.CharField(max_length=16)
key = models.CharField(max_length=16)
如下所示: 必要时使用如下函数生成锁和密钥值:
def generate_entry():
"""Generate a random alphanumeric string between 8 and 16 characters long."""
''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(random.randint(8,16))
编写如下链接:
r'^activate/(?P<lock>\w{8,16})/(?P<key>\w{8,16})/?$'
并发送它出去。当他们点击链接时,我激活该帐户并禁用激活密钥。
我最初考虑对随机字符串进行哈希处理作为额外的预防措施,但这似乎没有必要,而且在我的 URL 中包含两个 32 长度的密钥会很长:
account/12345678/12345678
or
account/12345678901234567890123456789012/12345678901234567890123456789012
这是处理帐户激活的安全且推荐的方法吗?字符串上是否有必要具有随机长度?
I'm writing an account activation process from the ground up in Django, and here was my basic thought process:
Create a model like:
class UserAccountActivation(models.Model):
lock = models.CharField(max_length=16)
key = models.CharField(max_length=16)
Generate lock and key values when necessary using a function like this:
def generate_entry():
"""Generate a random alphanumeric string between 8 and 16 characters long."""
''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(random.randint(8,16))
Compose a link like this:
r'^activate/(?P<lock>\w{8,16})/(?P<key>\w{8,16})/?
And send it out. When they hit the link, I activate the account and disable the activation key.
I was originally thinking of hashing the random strings as an extra precaution, but this seems unnecessary and it'd be pretty long to have two 32-length keys in my URL:
account/12345678/12345678
or
account/12345678901234567890123456789012/12345678901234567890123456789012
Is this a safe and recommended way of handling account activation? Is it necessary to even have the random length on the strings?
And send it out. When they hit the link, I activate the account and disable the activation key.
I was originally thinking of hashing the random strings as an extra precaution, but this seems unnecessary and it'd be pretty long to have two 32-length keys in my URL:
Is this a safe and recommended way of handling account activation? Is it necessary to even have the random length on the strings?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好吧,要回答这个问题,您必须考虑为什么您的帐户激活受到保护。可能是为了防止人们猜测激活码,这样他们就可以使用虚假的电子邮件地址。由于电子邮件地址无论如何都很容易获得,因此激活过程并不需要比在网络上注册电子邮件帐户困难得多。任何更多都是浪费精力,因为攻击者只会将攻击转移到另一个弱点。
使用随机字符串对此非常合适。
如果您需要更高的安全性,您可以考虑在其中放置一个散列帐户 ID,这样您就可以计数并停止多次失败的猜测激活码的尝试。
Well, to answer that question you have to consider why you have protection on your account activation. Likely it is to prevent people from guessing the activation code, so they would be able to use a false email address. As email addresses are very easy to get anyway, the activation process doesn't need to be much harder than it would take to register an email account somewhere on the web. Anything more is wasted effort, as the attacker will simply shift the attack to another weak point.
Using random strings is perfectly fine for this.
If you need more security you can consider putting a hashed account id in there, so you can count and then stop multiple failed attempts to guess the activation code.
具有可变长度是一件好事,以免容易受到定时攻击。
另外,python 的内置随机数并不是真正的加密安全,因此最好使用 sha来自 hashlib 或通过 linux 系统随机生成,您可以通过进行 sys 调用来获取。
It is a good thing to have variable length, lest it is susceptible to timing attacks.
Also, python's inbuilt random is not really cryptographicaly safe, so it is always preferable to use sha from hashlib or the system random generated via linux which you can obtain by making a sys call.