最佳实践Web登录/验证? [英] Best practices for web login / authentication?
问题描述
编写code一个网站的用户身份验证部分(包括账户注册,登录和密码重置)是pretty简单,但你需要什么,使一个真正的好的用户身份验证设置?例如,我会考虑不存储明文口令是一个网站一个最起码的要求,但忠告似乎是由口碑在很大程度上传递,大量的网站仍然无法遵循它。
Writing the code for the user authentication portion of a web site (including account registration, logins, and password resets) is pretty simple, but what do you need to make a really good user authentication setup? For example, I'd consider not storing plaintext passwords to be a bare minimum requirement for a web site, but that piece of advice seems to be largely transmitted by word of mouth, and plenty of sites still fail to follow it.
什么是一个网站的用户身份验证部分其他一些很好的建议还是不错的要求?例如,如果用户名是用户选择的,或者它们应该是电子邮件地址?任何陷阱的用户注册部分? (CAPTCHA系统可能是值得整个话题本身。)对于密码重置部分的任何陷阱?还有别的吗?
What is some other good advice or good requirements for the user auth portion of a web site? For example, should usernames be user-selected, or should they be email addresses? Any pitfalls for the user registration portion? (CAPTCHAs are probably worth a whole topic by themselves.) Any pitfalls for the password reset portion? Anything else?
在这里有点重复:<一href=\"http://stackoverflow.com/questions/243957/best-practices-for-login-pages\">best-practices-for-login-pages
推荐答案
加密
有一个关于这个问题昨天 - <一href=\"http://stackoverflow.com/questions/287597/why-should-i-care-about-hashing-passwords-anyway\">Why我应该关心反正哈希密码?涵盖为什么你应该这样做的所有原因。
There was a question about this yesterday - "Why should I care about hashing passwords anyway?" which covers all the reasons why you should do this.
验证码
我不同意里卡多验证码点 - 总是需要验证码,竟然真的不受欢迎的网站得到由垃圾邮件发送者为对象。我的博客,我设置了测试code的某些位,我从来没有联系到从其他任何地方,奇迹般地被垃圾邮件发送者找到。当垃圾邮件发送者已经与有关伟哥相同的帖子不计其数淹没你的网站,你会后悔不采取额外的20分钟安装一个验证码。 验证码有一些插件,使安装它pretty简单,你能帮助他们digify书籍。
I disagree with Ricardo on the captcha point - always require a captcha, even really unpopular sites get targetted by spammers. I have blogs that I set up to test some bits of code that I never linked to from anywhere else that were miraculously found by spammers. When a spammer has flooded your site with zillions of identical posts about viagra you'll regret not taking the extra 20 mins to install a captcha. reCaptcha has some plugins that make installing it pretty simple, AND you get to help them digify books.
不要忘了,视力不佳的用户将需要一个音频验证码。
Don't forget that visually impaired users will need an audio captcha.
忘记密码
如果您已确认用户的电子邮件地址,然后你可以为他们生成一个随机的新密码。请务必促使他们立即更改自己的密码,虽然人们会忘记随机生成的密码,立竿见影。
If you have confirmed the user's email address then you can just generate a random new password for them. Make sure to prompt them to change their password immediately though as people will forget randomly generated passwords straight away.
电子邮件
不要刻意试图实现复杂的正则表达式的,涵盖所有可能的电子邮件地址。做一个简单的检查为@,然后让发送到他们的电子邮件地址的链接,在用户点击来验证。这是常见的做法,但这些天我还碰到过的人试图让聪明了。
DON'T bother trying to implement complex regex's that cover all possible email addresses. Do a simple check for an @ and then let the user click on a link sent to their email address to verify. This is common practice these days but I still come across people trying to get 'clever' about it.
表单验证
除了在注册你的服务器端验证,形成你应该有客户端验证在AJAX的形式让用户知道他们正在填写它自己选择的用户名是否取,他们的密码是否是可以接受的,等,用户可以通过具有补办登记表格几次感到沮丧。
As well as your server side validation on the registration form you should have client side validation in the form of AJAX to let the user know as they're filling it out whether their chosen username is taken, whether their password is acceptable, etc. Users can get frustrated by having to re-submit registration forms several times.
认证本身
这是很好的让人们与它们的用户名或邮箱地址登录,因为人们更容易记住用户名不是电子邮件地址,尤其是如果他们还没有到您的网站在一段时间。
It's nice to let people log in with either their username or email address as people are more likely to remember email addresses than usernames, especially if they haven't been to your site in a while.
如果您的网站的需求增加了安全性(例如,如果你卖的东西,人们只需通过登录得到它),请求另一条信息。询问他们的ZIP /邮政code是一个好主意,因为只需要几秒钟的额外输入,使得它非常难以穷举密码。
If your site needs added security (for example, if you're selling stuff and people can get it just by logging in), request another piece of information. Asking for their zip/postal code is a good idea as it only takes a few extra seconds to type and makes it considerably more difficult to brute force passwords.
这篇关于最佳实践Web登录/验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
