允许用户更改其密码的模式.用户是否应该重复输入新密码并输入旧密码? [英] Pattern for allowing a user to change his password. Should the user have to repeat the new password as well as enter the old password?
问题描述
关于在SO上恢复密码有很多问题,但考虑到以下两个问题之一,不是有关更改密码的问题:
There are lots of questions about recovering passwords on SO, but not about changing passwords considering one of the two following:
1)用户已经在系统中进行了身份验证(通过user/pw或通过第三方身份验证,例如facebook/twitter)
2)用户知道他或她的旧密码.
1) The user is authenticated in the system already (either through user/pw or through third part authentication e.g. facebook/twitter)
2) The user knows his or her old password.
鉴于这些出发点,对于允许用户以最少的步骤更改其密码的最佳做法,我有两个不同的问题.
Given these starting points, I have two distinct question as to what the best practice is for allowing a user to change his or her password in the fewest steps.
场景(用户已经通过身份验证并登录到系统):
输入旧密码: _ __ _ __ _ (1:我可以删除此密码)
输入新密码: _ __ _ __ _
再次输入新内容: _ __ _ __ _ (2:我可以摆脱它)
Scenario (user has already authenticated and logged into system):
Enter Old Password:_______ (1: can I get rid of this)
Enter New Password:_______
Enter New Again: _______ (2: can I get rid of this)
1)可以让用户不输入旧密码吗?在这种情况下,我假设用户已经通过系统身份验证.让用户重新输入密码似乎是多余的.我了解这对于高安全性应用程序(例如银行业务)可能非常重要,在该应用程序中,用户无人参与会话可以允许某人输入新密码,而无需知道使他们进入这种情况的密码.
1) Is it ok to not have the user enter his old password? In this case I'm assuming the user is already authenticated into the system. It seems redundant to have the user re-enter the password. I understand this could be important for high security applications (e.g. banking) where a user leaving the a session unattended could allow someone to enter a new password without knowing the password that got them into this situations.
在我演示的示例中,应用程序的安全性不是很高,风险也很低.另外,由于我们允许第三方身份验证(facebook/twitter),因此从理论上讲,如果其他人在计算机上并且用户拥有用于facebook/twitter的实时cookie,则他们可以进入该帐户.
In the example I'm presenting, the application is not very high security and risk is low. Also, since we allow third part authentication (facebook/twitter) then theoretically if someone else was on the machine and the user had a live cookie for facebook/twitter, they could get into the account.
2)可以让用户两次不输入新密码.这样做感觉有点像90年代.人们现在已经习惯使用密码了,他们输入密码的可能性比预期高出5%的可能性似乎并不超过两次输入密码所花费的时间.在5%的情况下,最坏的情况是他们只需要重置密码(或仅使用facebook/twitter登录并重置密码)即可.我发现现在这样做的一个网站是Quora(尽管他们仍然执行第1步).我还没有看到其他许多人这样做.
2) Is it ok to not have the user enter the new password twice. This feels a bit 90's-ish doing this. People are used to passwords now, and the 5% chance they type their password differently than they expect does not seem to outweigh the time spent typing it in twice. In that 5% scenario, the worst case is they just have to reset their password (or just login with facebook/twitter and reset it). One website that I found doing this now is Quora (though they still do step 1). I have not seen many others doing the same.
推荐答案
首先,我告诫您,永远不要,永远,永远,永远,永远不要假设用户就是他说的那样,尤其是在更改用户名时.非常关键,使他们能够访问自己的帐户.这是一种非常常用的方法,始终需要密码验证才能编辑密码.
First, I would caution you to never, ever, ever, ever, ever assume the user is who he says he is, especially when it comes to changing the very key that allows them access to their account. It is a very well used method to always require a password authentication to edit the password.
至于两次输入密码,通常是在后端完成,因此您可以比较两个密码并确保它们相同.这样做是为了确保用户打算在键入密码时键入密码.连续两次输入相同错字的可能性不大,因此,如果两个密码相同,则可以很好地假定它们是没有错字的.
As for entering the password twice, that is mostly done so on the back end you can compare the two passwords and make sure that they are identical. This is done to make sure that the user has intended to type the password as it is typed. The odds of making the same typo twice in a row are not likely, and as such if the two passwords are identical you can pretty well assume that they are typo free.
我个人更愿意花10秒钟的时间重新输入密码,而不必经历麻烦,即意识到自己输入了密码,然后不得不重设密码,访问我的电子邮件,重新访问该网站,然后重新输入我的密码.在一天结束时,您仍然必须键入两次,第一种方法更加简化了.
Personally I would much rather take 10 seconds out of my day to retype a password, instead of having to go through the hassle of realizing that I typoed my password, then having to reset my password, visit my email, revisit the website, and then re-enter my password. At the end of the day you still have to type it twice, the first method just is so much more streamlined.
如果没有让他们首先验证使用身份验证方法的能力,我将永远不允许用户编辑身份验证方法.一些用户可以在离开座位时登录计算机,这使其他用户可以坐下并访问私人数据,如果他们无需输入当前密码就可以更改密码,那么打开该帐户的机会就更大了被滥用.
And I would never allow a user to edit an authentication method, without having them verify the ability to use an authentication method in the first place. Some users leave their computers logged in while leaving their seats, which allows others to sit down and access private data, and if they have access to changing a password without needing to enter the current password, that opens the account to an easier chance of being abused.
这篇关于允许用户更改其密码的模式.用户是否应该重复输入新密码并输入旧密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
