PHP密码恢复 [英] PHP password recovery

问题描述

我意识到，出于安全性考虑，密码不应以明文形式存储在数据库中.如果我对它们进行哈希处理，则可以出于登录目的对其进行验证.

I realize that for security that passwords should not be stored in a DB as plaintext. If I hash them, I can validate them for login purposes.

但是，如果我想设置一个密码恢复系统，那么最好的策略是什么，因为不会撤消散列操作?

But if I want to set up a password recovery system, what's the best strategy since there is no undoing of the hashing?

有人可以简要概述一下存储和恢复密码的安全策略吗?

Could someone give me a brief overview of a good and secure strategy for storing and recovering passwords?

推荐答案

您无法恢复经过哈希处理的密码，也不应该.

You can not recover password that were hashed, neither should you.

相反，您应该做的是:

1. 对密码重置请求进行一些验证，例如CAPTCHA.
2. 创建一次性随机代码，并将其链接发送到用户的电子邮件.
3. 此代码是否在一个小时内过期.
4. 此代码使用后立即失效.
5. 在代码链接上，如果它可以验证，请允许他更改密码.
6. 通知他密码已更改，但请勿通过电子邮件发送.

1. Put some verification on the password reset request, like CAPTCHA.
2. Create an one-time random code and send a link with it to user's email.
3. Have this code expire in, say, an hour.
4. Have this code expire immediately once used.
5. On the link with the code, if it validates, allow him to change his password.
6. Notify him that the password was changed, but do not send it in the email.

这篇关于PHP密码恢复的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！