我想创建密码恢复吗? [英] i want to create password recovery?
本文介绍了我想创建密码恢复吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想向用户提供短信/电子邮件功能.我该怎么办?请帮助我.
解决方案
实际的密码恢复不是一个好主意:这意味着您必须以可以将其发送给用户的形式存储密码.
更好的主意是将密码重置为随机值,然后将其通过电子邮件发送给用户.然后,他可以将其更改为登录时会记住的内容.
这里有一些有关密码的说明:密码存储:如何做到这一点. [ ^ ]
以及此处的通用电子邮件例程:发送电子邮件带有或不带有附件的C#中:通用例程. [
我们可以混淆我们的代码"-哦,这是一个很好的代码! 我会把钥匙藏在垫子下面来保护我的房子,没人会看那里!"
即使您的代码被混淆了,您仍然可以阅读它.执行它.用它解密密码.您使用多少个不同的密码?大多数人(如果可以选择)对所有内容使用相同的密码.想一想.这意味着,如果您的站点易受攻击,则将显示所有内容的密码.
如果用户想恢复(完全恢复)他的密码而不是创建新密码,为什么我们不应该对其进行加密?"
恢复是我反对的事情:如果用户忘记了密码,当您将密码还给他时,您怎么知道您是与之对话的用户?如果不是真正的用户,则您只给出了他的密码,而他不知道.如果您重置他的密码,并将新密码发送到他最初注册的电子邮件,那么至少有一定的安全余地,旧密码也不再起作用:至少真实用户知道存在违规行为.
我经常看到带有加密密码的数据库"
仅仅因为一个白痴沿高速公路错误的方向行驶,这是否是个好主意?
太多的人在构建站点之前没有考虑,特别是关于安全隐患.这并不意味着我们都应该连接我们的SQL查询,因为很多其他站点都容易受到SQL Injection攻击,因此我们也应该如此."
1.请勿以纯文本形式存储密码.我知道您没有对此提出疑问,但是由于世界上一些最大的网站仍然没有弄清楚,我认为值得一提.您不是以明文形式存储密码吗?
2.问问自己,他们是否真的需要恢复密码或重设密码.如果恢复,则需要使用加密存储其密码.我强烈建议您不要这样做.如果黑客发现您的私钥或密码,则他们可以访问所有密码.如果他们能够下载加密的密码,则可以使用常见的技术在短时间内破解大多数密码.
3.如果他们只需要重设密码,则无需再将其旧密码发送给他们.您可以将他们的密码存储为盐渍哈希 [ 解决方案
Actual password recovery is not a good idea: it means you have to store the password in a form that you can send it to the user.
A better idea is to reset the password to a random value, and email that to the user. He can then change it to something he will remember when he logs in.
There are some notes on passwords here: Password Storage: How to do it.[^]
And a generic email routine here: Sending an Email in C# with or without attachments: generic routine.[^]
"But we can obfuscate our code and store secret key not in code.
And if user want to recovery (exactly recovery) his password and not to create new why we shouldn''t encrypt it?
I really agree with your opinion by in large, but I often see databases with encrypded passwords, not hashed."
"we can obfuscate our code" - oh, that is a good one! "I''ll secure my house by hiding the key under the mat, no-one will look there!"
Even if your code is obfuscated, you can still read it. Execute it. Decrypt passwords with it. How many different passwords do you use? Most people (if given a choice) use the same password for everything. Think about it. That means that if your site is vulnerable, then the password to everything is revealed.
"And if user want to recovery (exactly recovery) his password and not to create new why we shouldn''t encrypt it?"
Recovery is something I argue against: if the user has lost his password, how do you know it is the user you are talking to when you give it back to him? If it isn''t the real user, you have just given out his password and he doesn''t know. If you reset his password, and send the new one to the email he originally registered with, then at least there is some margin of security, and the old password no longer works: at least the real user becomes aware that there has been a breach.
"I often see databases with encrypded passwords"
Just because one idiot drives the wrong way up the motorway, does that make it a good idea?
There are too many people out there who do not think before they construct a site, particularly about the security implications. That doesn''t mean we should all concatenate our SQL queries, because "lots of other sites are vulnerable to SQL Injection attacks, so we should be too."
1. Do not store the passwords in plaintext. I know you didn''t ask about that, but since some of the biggest websites in the world still haven''t figured that out, I thought it worth mentioning. You''re not storing the passwords in plaintext ARE YOU?
2. Ask yourself, do they really need to RECOVER their password or RESET their password. If recover, you will need to store their passwords using encryption. I STRONGLY DISCOURAGE you to do this. If a hacker discovers your private key or password they have access to all of the passwords. If they are able to download the encrypted passwords they can use common techniques to crack most of the passwords in a short amount of time.
3. If they just need to reset their password, you''ll never need to send them their old password. You can store their password as a salted hash[^]. Just send them a new one and force them to change the password at the next login.
4. Sending the password using SMS isn''t a bad ideas as long as they have to enter their SMS phone number BEFORE they lose their password. I think you''ll find most people don''t want to give out their cell number though.
这篇关于我想创建密码恢复吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
