PHP忘记密码功能 [英] PHP Forgot Password Function

问题描述

我有一个小型社区网站，我需要实现某种被忘记的密码功能.我目前将密码存储在数据库中，并已使用 MD5 加密.

I have a small community website and I need to implement some sort of forgotten password function. I currently store the passwords in the DB, encrypted with MD5.

是否可以对解密"进行排序并通过电子邮件发送给用户，或者我需要一个密码重设页面?

Is it possible to sort of 'decrypt' and send it to user via email or would I need to have a password reset page?

推荐答案

MD5哈希密码不可逆. (MD5是散列，而不是真正加密的，因此存在细微差别).而且是，您肯定要提供密码重置"过程(而不仅仅是通过电子邮件发送密码).

An MD5 hashed password is not reversible. (MD5 is hashing, and not really encrypting, so there's a subtle difference). And yes you'll definitely want to provide a password "reset" process (and not simply email the password).

为您提供高级别的工作流程，以进行安全的密码重置...

1. 当用户要求重设密码时，请让他们输入其电子邮件地址
2. 不要指出该电子邮件地址是否有效(只需告诉他们电子邮件已发送).由于它降低了可用性(即我不知道我向哪个电子邮件注册)，因此可以进行辩论，但是它为试图收集有关在您的站点上实际注册了哪些电子邮件的信息的人们提供的信息较少.
3. 生成令牌(可能用盐对时间戳进行哈希处理)并将其存储到用户记录中的数据库中.
4. 向用户发送电子邮件以及指向您的http s 重置页面的链接(URL中的令牌和电子邮件地址).
5. 使用令牌和电子邮件地址来验证用户.
6. 让他们选择一个新密码，代替旧密码.
7. 此外，最好在特定时间段(通常为24小时)后使这些令牌过期.
8. (可选)记录发生了多少次忘记"尝试，如果人们要求发送大量电子邮件，则可能实现更复杂的功能.
9. (可选)在单独的表中记录请求重置的个人的IP地址.从该IP增加计数.如果达到甚至超过10个，请忽略他们未来的要求.

1. When user asks to reset their password, make them enter their email address
2. Don't indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.
3. Generate a token (maybe hash a timestamp with a salt) and store it into the database in the user's record.
4. Send an email to the user along with a link to your https reset page (token and email address in the url).
5. Use the token and email address to validate the user.
6. Let them choose a new password, replacing the old one.
7. Additionally, it's a good idea to expire those tokens after a certain time frame, usually 24 hours.
8. Optionally, record how many "forgot" attempts have happened, and perhaps implement more complex functionality if people are requesting a ton of emails.
9. Optionally, record (in a separate table) the IP address of the individual requesting the reset. Increment a count from that IP. If it ever reaches more than, say, 10... Ignore their future requests.

为您提供更多有关哈希的详细信息...

在PHP中使用md5()函数对诸如密码之类的值进行哈希处理时，无论在哪个服务器上运行该密码，最终值都将相同. (因此，我们可以立即看到哈希和加密之间的区别.不涉及私钥/公钥.)

When you hash a value like a password using the md5() function in PHP, the final value is going to be the same for that password no matter which server you run it on. (So there's one difference we can see right away between hashing and encryption... There's no private/public key involved).

因此，在这里您会看到人们提到彩虹桌.一个彩虹表的非常基本的解释是...您md5()对一堆词典单词(弱密码)进行哈希处理以获得其md5()哈希值.将它们放在数据库表(彩虹表)中.

So this is where you'll see people mention a vulnerability to rainbow tables. A very basic explanation of a rainbow table is... You md5() hash a bunch of dictionary words (weak passwords) in order to get their md5() hashed values. Put those in a database table (rainbow table).

现在，如果您破坏了网站的数据库，则可以对Rainbow表运行用户的哈希密码，以(本质上)将哈希反向"回密码. (您并没有真正反转"哈希值...但是您知道了).

Now, if you compromise a web site's database, you can run the users' hashed passwords against your rainbow table to (in essence) "reverse" the hash back to a password. (You're not really "reversing" the hash... But you get the idea).

这是输入密码"的最佳实践.这意味着(再次是非常基本的想法)，您在对哈希值进行散列之前 之前将随机值附加到用户密码中.现在，当彩虹表针对您的数据库运行时，它不那么容易反转"，因为"password"的md5()哈希与"password384746"不同.

That's where "salting" your passwords is best practice. This means (again, very basic idea here) that you append a random value to the users' passwords before you hash it. Now, when the rainbow table is run against your database, it's not as easily "reversed" because the md5() hash of "password" is different than "password384746".

这是一个很好的SO Q/A，应该会有所帮助. 为PHP密码保护哈希和盐

Here's a nice SO Q/A that should help. Secure hash and salt for PHP passwords

这篇关于PHP忘记密码功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！