为什么在实施忘记密码逻辑时使用安全问题？ [英] Why to Use Security Question While Implementing Forgot Password Logic ?

问题描述

Hello Code项目研究员，

祝大家新年快乐。



伙计们，在我上次的采访中，我被要求解释忘记密码页面的逻辑。

我只是简单地向他们解释：



1 - 我会接受安全问题&它'注册账户时用户的回答。

2 - 当用户点击忘记密码时，我只是问他安全问题的答案，在完全回答安全问题之后，我会向用户发送密码从数据库中检索。



现在，在这个回答之后，面试官问我，因为你要把密码发送到注册用户的个人电子邮件帐户它'已经安全了。

那么这个安全问题需要什么Logic.Coz，除了原始用户以外的其他任何人要求输入密码，然后密码将转到会员的个人电子邮件除原始用户以外无法访问的帐户。



现在对于这个问题，我没有任何好的答案。

所以我请求任何人你回答我，什么应该是它的完美答案。



先谢谢。

Hello Code Project Fellows,
Happy New Year to All.

Guys, in my last interview I was asked to explain the logic of Forgot Password Page.
I simply explained them that:

1-I''d be taking a Security question & it''s answer from the User while registering an Account.
2-When an User click on Forgot Password, I''d be simply asking him the Answer of Security question & after answering the Security question perfectly, I''d be sending the user the Password by Retrieving it from Database.

Now after this answer the Interviewer asked me that, since U r going to send the Password to the Personal email Account of the Registered user It''s already Secure.
So what''s the Need of this Security question Logic.Coz though anyone else other than Original User requesting for password then also the Password is going to Member''s Personal email account which no once can access other than Original User.

Now for this question I didn''t have any good strong answer.
So I request plz anyone of u answer me, what should be the perfect answer for it.

Thanks in Advance.

推荐答案

我希望通过发送密码，他的意思是生成一个新的密码并发送，而不是当前的密码，这应该是不可挽回的。



现在回答我...你想要吗？其他人可以重置你的密码？别介意他们不会得到它。您是否希望每天早上从CP收到一封电子邮件，说您要求提供新密码？来自几个网站怎么样？几十个网站？我不这么认为。



这不是严格意义上的安全问题。

I hope by "send the Password", he means generate a new password and send that, not the current password, which should be irretrievable.

Now answer me this... would you want others to be able to reset your passwords? Never mind that they won''t get it. Would you want to get an email from CP every morning saying you had requested a new password? How about from several sites? Dozens of sites? I don''t think so.

It''s not strictly a security issue.

面试官是正确的 - 如果软件要生成新密码并将其发送到原始注册邮箱地址，则安全问题是多余的，不需要使用。



安全当网站需要直接联系用户而不是通过电子邮件，或者当网站以某种方式显示旧密码时，使用问题。任何可以做到这一点的网站都​​是不安全的，不应该被访问 - 你永远不应该以可以反转的方式存储密码以重新生成原始密码。

The interviewer is correct - if the software is going to generate a new password and send it to the original registers email address, then the security question is redundant, and need not be used.

Security questions are used when the web site needs to contact the user directly, not via email, or when the site is going to reveal the old password in some way. And any site which can do that is insecure and should not be visited - you should never store passwords in a way which can be reversed to re-generate the original password.

这篇关于为什么在实施忘记密码逻辑时使用安全问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！