实施密码恢复最佳做法 [英] Implement password recovery best practice

问题描述

我想在Web应用程序中实现密码恢复.

I want to to implement password recovery in my web application.

我想避免使用秘密问题.

I'd like to avoid using secret questions.

我只能通过电子邮件发送密码，但我认为这样做会很冒险.

I could just send the password by e-mail but I think it would be risky.

也许我可以生成一个新的临时随机密码，然后通过电子邮件发送它，但是我认为它与上述风险一样危险.

Maybe I could generate a new temporary random password and send it by e-mail but I think it is as risky as the above point.

我可以通过电子邮件发送网址吗，例如 http://example.com/token=xxxx 其中xxxx是与用户关联的随机令牌.因此，当用户导航到该URL时，他/她可以重置密码.

Can I send a url by e-mail for example http://example.com/token=xxxx where xxxx is a random token associated with the user. So when the user navigates to that url he/she can reset the password.

推荐答案

首先，不要不存储用户密码的纯文本副本，甚至是加密版本.您只想保留用户密码的散列副本.

First off, do not store a plain-text copy of the user's password, or even an encrypted version. You want to only ever keep a hashed copy of the user's password.

对于恢复解决方案，我发现更改用户密码的恢复链接是我的经验中最好的解决方案.对于用户而言，这可能会更方便一些，但从安全角度来看，它与发送新的随机密码以在下次登录后进行更改大致相同.我仍然建议恢复URL在合理的短时间后过期，并且只能使用一次.

As for recover solutions, I find that the recovery link to change the user's password is the best solution in my experience. It will probably be a bit more convenient for the user, while being largely the same from a security point of view as sending a new random password to be changed after next login. I'd still recommend having the recovery url expire after a reasonable short period of time, as well as only being usable a single time.

这篇关于实施密码恢复最佳做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！