最好的办法了“忘记密码”的实施？ [英] Best way for a 'forgot password' implementation?

问题描述

我在寻找实施忘记密码功能的最佳方法。

I'm looking for the best method to implement a "forgot password" feature.

我拿出2的想法：

1. 在上忘记密码，用户需要点击用户的用户名，电子邮件的重点和出生或姓氏的可能日期。然后用临时密码邮件将被发送到用户的电子邮件帐户。用户使用临时密码登录并重置其密码。

1. When user click on forgot password, the user is required to key in the username, email and maybe date of birth or last name. Then a mail with temporary password will be sent to the user email account. The user uses the temporary password to login and resets his password.

相似，但电子邮件将包含一个链接，让用户重置其密码。

Similar, but the email would contain a link to let the user reset his password.

或任何人可以建议我一个更好的和安全的方式？我还想做发送的临时密码或链接时，强制用户在24小时内重置密码，否则临时密码或链接将无法使用。那怎么办？

Or anyone can suggest me a better and secure way? I'm also thinking to send the temporary password or link, force the user to reset the password within 24 hour, or else the temporary password or link will not be usable. How to do that?

推荐答案

更新：2013年5月修订了一个更好的方法

1. 用户输入自己的用户名和点击忘记密码。我还建议在输入电子邮件地址而不是用户名的选项，因为用户名是有时会忘记了。


2. 该系统有一个表 password_change_requests 与列 ID ，时间和用户名。当新用户presses按钮，记录在表中创建。在时间列包含当用户pressed忘记密码按钮的时间。在 ID 是一个字符串。长随机数序列创建（也就是说，一个GUID），​​然后像哈希密码（这是一个单独的话题本身）。然后，该散列被用作在表中的ID。


3. 系统发送一封电子邮件，其中包含一个链接，用户。该链接还包含原始ID字符串（散列之前）。该链接将是这样的： http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF 。该forgotpassword.jsp页面应该能够找回ID参数。对不起，我不知道Java的，所以我不能更具体。


4. 当用户点击电子邮件中的链接，他移动到你的页面。页面检索 ID 从URL，再散列它，和对阵表检查。如果这样的记录是存在的，不超过，比如说24小时的时候，用户的与提示psented $ P $输入新密码


5. 用户输入新的密码，点击确定，每个人都生活幸福快乐的日子......直到下一次！

1. The user enters his username and hits "forgot password". I also recommend the option of entering the email address instead of the username, because usernames are sometimes forgotten too.
2. The system has a table password_change_requests with the columns ID, Time and UserID. When the new user presses the button, a record is created in the table. The Time column contains the time when the user pressed the "Forgot Password" button. The ID is a string. A long random string is created (say, a GUID) and then hashed like a password (which is a separate topic in and of itself). This hash is then used as the 'ID' in the table.
3. The system sends an email to the user which contains a link in it. The link also contains the original ID string (before the hashing). The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don't know Java, so I can't be more specific.
4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL, hashes it again, and checks against the table. If such a record is there and is no more than, say, 24 hours old, the user is presented with the prompt to enter a new password.
5. The user enters a new password, hits OK and everyone lives happily ever after... until next time!

这篇关于最好的办法了“忘记密码”的实施？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！