PHP密码恢复 [英] PHP password recovery
本文介绍了PHP密码恢复的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我意识到,出于安全性考虑,密码不应以明文形式存储在数据库中.如果我对它们进行哈希处理,则可以出于登录目的对其进行验证.
I realize that for security that passwords should not be stored in a DB as plaintext. If I hash them, I can validate them for login purposes.
但是,如果我想设置一个密码恢复系统,那么最好的策略是什么,因为不会撤消散列操作?
But if I want to set up a password recovery system, what's the best strategy since there is no undoing of the hashing?
有人可以简要概述一下存储和恢复密码的安全策略吗?
Could someone give me a brief overview of a good and secure strategy for storing and recovering passwords?
推荐答案
您无法恢复经过哈希处理的密码,也不应该.
You can not recover password that were hashed, neither should you.
相反,您应该做的是:
- 对密码重置请求进行一些验证,例如CAPTCHA.
- 创建一次性随机代码,并将其链接发送到用户的电子邮件.
- 此代码是否在一个小时内过期.
- 此代码使用后立即失效.
- 在代码链接上,如果它可以验证,请允许他更改密码.
- 通知他密码已更改,但请勿通过电子邮件发送.
- Put some verification on the password reset request, like CAPTCHA.
- Create an one-time random code and send a link with it to user's email.
- Have this code expire in, say, an hour.
- Have this code expire immediately once used.
- On the link with the code, if it validates, allow him to change his password.
- Notify him that the password was changed, but do not send it in the email.
这篇关于PHP密码恢复的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文