安全的方法来重置密码或提供旧密码 [英] Secure ways to reset password or to give old password

问题描述

处理忘记的密码/密码重置的最安全方法是什么?我应该通过电子邮件将密码发送给用户吗?如果是这样，您是否要强迫他们重置它?还是让他们立即将其重置(不发送电子邮件)，并要求其他信息以确认是否是他们?还是有更好的方法?

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?

推荐答案

您无法通过电子邮件将密码发送给用户，因为您不知道该密码.您已通过

You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?

如果您在未与帐户所有者确认密码的情况下重置密码，则攻击者可以使用受害者的电子邮件地址来请求所有者重置拒绝访问所有者的权限，至少直到他检查电子邮件为止.

If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.

一种对许多应用程序而言足够安全的方法是通过电子邮件将包含大量随机生成数字的链接发送给帐户所有者.该令牌仅在有限时间内有效.如果所有者希望重设密码，请单击链接，然后将其认证为帐户所有者.然后，帐户所有者可以指定一个新密码.

A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.

这篇关于安全的方法来重置密码或提供旧密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！