什么是最好的“忘记密码"?方法? [英] What is the best "forgot my password" method?

问题描述

可能重复:
忘记密码:什么是密码实现忘记密码功能的最佳方法?

Possible Duplicate:
Forgot Password: what is the best method of implementing a forgot password function?

我正在编程一个社区网站.

I'm programming a community website.

我想建立一个忘记密码"功能.

I want to build a "forgot my password" feature.

环顾不同的站点，我发现它们采用了三个选项之一:

Looking around at different sites, I've found they employ one of three options:

1. 向用户发送电子邮件，该电子邮件带有指向唯一的隐藏URL的链接，该链接允许他更改密码(Gmail和Amazon)

1. send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon)

向用户发送一封电子邮件，其中包含随机生成的新密码(Wordpress)

send the user an email with a new, randomly generated password (Wordpress)

发送用户他的当前密码(www.teach12.com)

send the user his current password (www.teach12.com)

选项#3 似乎对用户来说最方便，但是由于我将密码保存为MD5哈希，因此我看不到选项#3对我的可用性，因为 MD5不可逆.这似乎也是不安全选项，因为这意味着网站必须将明文密码保存在某个地方，并且至少明文密码是通过不安全的电子邮件发送给用户的.还是我在这里想念东西?

Option #3 seems the most convenient to the user but since I save passwords as an MD5 hash, I don't see how option #3 would be available to me since MD5 is irreversible. This also seems to be insecure option since it means that the website must be saving the password in clear text somewhere, and at the least the clear-text password is being sent over insecure e-mail to the user. Or am I missing something here?

因此，如果我无法执行选项#1，则选项#2 似乎是最简单的编程，因为我只需要更改用户密码并发送给他.尽管这是有点不安全，因为您必须通过不安全的电子邮件来传达实时密码.但是，麻烦制造者也可以通过随机输入电子邮件并不断更改各种用户的密码来误导用户欺骗用户.

So if I can't do option #1, option #2 seems to be the simplest to program since I just have to change the user's password and send it to him. Although this is somewhat insecure since you have to have a live password being communicated via insecure e-mail. However, this could also be misused by trouble-makers to pester users by typing in random e-mails and constantly changing passwords of various users.

选项#1 似乎是最安全的，但需要一些额外的编程来处理到期的隐藏URL，等等，但这似乎是大型网站使用.

Option #1 seems to be the most secure but requires a little extra programming to deal with a hidden URL that expires etc., but it seems to be what the big sites use.

您使用/编程这些各种选项有什么经验?有什么我错过的选择吗?

推荐答案

4)用两个随机数将其贷记入他们的银行帐户，并要求他们输入.
5)Snail向他们发送一些新密码，然后要求他们输入.
6)使用他们注册的手机，让他们发短信或打一些电话，并在电话号码中输入一些值.
7)通过将其外包给诸如Stack Overflow，Facebook，博客引擎之类的OpenID提供程序，完全摆脱了密码管理问题.

4) Crediting their bank account with two random amounts and ask them to enter those in.
5) Snail mail them some new password and ask them to enter it in.
6) Have them text or call some number and enter some value to a phone number with the mobile phone they registered on file.
7) Get out of the password management problem altogether by outsourcing it to OpenID providers like Stack Overflow, Facebook, blog engines, and others are starting to do.

除此之外，将选项#1或#2与增加的功能一起使用，它们都将在一小时内到期.

Outside of those, use option #1 or #2 with the added feature that both expire in an hour.

这篇关于什么是最好的“忘记密码"?方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！