现代Web应用程序中密码检索的有效技术 [英] Effective Techniques for Password Retrieval in Modern Web Applications
问题描述
我们一直在开发Web应用程序,在其中我们需要实现密码检索的传统Web应用程序功能.根据趋势,有类似的方法.
- 发送密码重置链接到用户的电子邮件.
- 向用户询问密码恢复的秘密问题.
- 重置现有密码并创建新密码并将其发送给用户.这也可能迫使用户在下次登录时更改密码.
我们是否有任何非传统的技术来实现密码检索机制?您为此尝试了哪些其他方法?
谢谢.
这取决于您要达到的安全级别,支持成本和可用性问题.
通过电子邮件发送密码重置链接是首选方法,其原因有很多:
-
支持费用-从业务角度来看,这是最大的因素.用户甚至经常忘记他们的密码提示,或者使用伪造的邮寄地址,或者忘记他们的用户名.所有这些都是合法的问题,您可能会收到支持请求.这又带来了另一个问题,您必须通过询问用户最近的帐户活动以及不知道哪些活动来建立用户的合法性.如果您不提供这种级别的支持,那么很多新手用户都会感到失望.通过电子邮件发送密码重置链接可以缓解这些问题,因为用户通常拥有一个或两个电子邮件地址,并且可以通过提供其电子邮件地址轻松地恢复其用户名/密码.
-
安全问题-从技术角度来看,这是最大的因素.这里有很多问题您必须权衡.受损的电子邮件帐户意味着黑客可以访问所有用户的服务,从而可以通过电子邮件发送密码重置链接.您可以选择中间立场,即通过电子邮件将密码重置链接发送给用户,该链接又向用户询问密码提示问题,之后允许他们重置密码.同样,您绝不应以任何方式公开用户的密码.实际上,如果您能够向他们显示他们的密码,则您的系统已经不安全,因为这意味着您未使用SHA-1之类的安全哈希存储它们,并且公司中的开发人员可以获取每个人的密码.
-
可用性-从用户角度来看,这是最大的因素.通过电子邮件发送密码重置链接需要用户检查其电子邮件地址,这意味着完成任务的时间最多可能需要2分钟甚至3分钟.但是,我认为这没什么大不了的.大多数用户似乎并不介意这一点,因为他们认为自己有错,这是出于他们最大利益的一种安全措施.我只是根据个人经验进行假设,而用户通常会有所不同.我将安全性放在比用户体验更高的位置,因为用户很少需要检索密码(用户长时间未登录并忘记了密码;用户已将密码保存在重新安装的浏览器中,其他一些极端情况).
We've been working on web application where in we need to implement traditional web-apps functionality of password retrieval. According to the trends there are approaches like..
- Sending Password reset link to user's email.
- Asking Secret Question to the user for Password recovery.
- Resetting the existing Password and creating a new password and sending it to the user. This may also force the user to change the password upon next logon.
Do we have any non-traditional technique for implementing password retrieval mechanism ? What other approaches you've tried for this ?
Thanks.
It depends on the the level of security you are aiming for, support costs and usability concerns.
Emailing a password reset link is the preferred approach for a number of reasons:
Support Costs - This is the biggest factor from a business perspective. Users often forget even their password hints or use a fake mailing address or forget their user name. All of these are legitimate concerns for which you might get support requests. This in turn creates another issue, you have to establish the legitimacy of the user by asking them about recent account activity and what not. If you don't provide that level of support a lot of novice users will be disappointed. Emailing a password reset link mitigates these concerns because the users typically have one or two email addresses and they can easily recover their username/password by providing their email address.
Security Concerns - This is the biggest factor from a technical perspective. There are various concerns here which you have to weigh. A compromised email account means the hacker can go to access all of the users' services which allow a password reset link to be emailed. You can settle for middle ground which is to email a password reset link to the user which in turn asks the user a password hint question after which it allows them to reset their password. Again, you should never expose the user's password in any medium. In fact, if you have the capability to show them their password your system is already insecure because it implies you are not storing them using a secure hash like SHA-1 and a developer in your company can get at everyone's password.
Usability - This is the biggest factor from the user perspective. Emailing a password reset link requires the user go and check their email address which can means the time to achieve the task can go up to 2 or even 3 minutes. However, I would think that this is not a big deal. Most users don't seem to mind this because they feel they are at fault and this is a security measure in their best interest. I am only hypothesizing from personal experience and users in general might feel differently. I would put security as a higher priority than the user experience because users will rarely if ever need to retrieve their passwords (user has not logged in for a long time and forgot his password; user had saved his password in the browser which was reinstalled and some other edge cases).
这篇关于现代Web应用程序中密码检索的有效技术的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
