在恢复密码电子邮件中使用md5密码作为令牌有多不安全? [英] how unsafe is to user the md5 password as token in the recover password email?

问题描述

我当时想发送一封以md5密码作为令牌的电子邮件，并在显示恢复密码"表单之前检查电子邮件和密码是否正确

i was thinking sending an email with the md5 password as token and check if the email+password are correct before showing the recover password form

1)用户输入邮件

2)如果存在邮件，请使用密码作为令牌向其发送电子邮件

2) if mail exists, send an email to with it with password as token

3)用户单击链接时:检查邮件和md5密码是否正确:

3) when user click to link: check if mail and md5 password are correct, if so:

4)显示密码生成器表单

4) show password generator form

-编辑-

那么在不向用户表中添加任何列的情况下，如何安全呢?

So how could be safer without adding any column to the user table?

推荐答案

从理论上讲，这至少是不安全的.参见例如 md5解码. 和 MD5安全性很好吗?

It's at least theoretically unsafe. See e.g. md5 decoding. How they do it? and MD5 security is fine?

但是为什么要首先这样做呢?以下内容将更加安全，并且实施起来也将更加困难:

But why do that in the first place? The following would be much more secure, and only marginally more difficult to implement:

1. 生成随机密钥，例如123456789abc
2. 将其存储在用户记录中
3. 将密钥添加到URL lookup.php?key=123456789abc
4. 用户单击URL时，查找键以找到正确的电子邮件地址.
5. 操作完成后，删除密钥.

1. Generate a random key, e.g. 123456789abc
2. Store it in the user record
3. Add the key to the URL lookup.php?key=123456789abc
4. When the user clicks the URL, look up the key to find the correct E-Mail address.
5. Once the operation has completed, delete the key.

给密钥一个生命周期，例如24小时，这样非法请求就会消失.

Give the key a lifetime of, say, 24 hours so illegitimate requests fade away.

这篇关于在恢复密码电子邮件中使用md5密码作为令牌有多不安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！