如何以安全的方式提供密码重置功能? [英] How can I provide password reset functionality in a secure way?
问题描述
我目前正在整理一个网站,要求用户创建个人帐户才能玩在同一网站上托管的游戏.我目前难以确定的是在忘记密码的情况下如何为用户实施安全的密码重置功能.
I'm currently finishing up a website where users are required to create a personal account in order to play a game that is hosted on the same website. What I'm currently having difficulty figuring out is how to implement secure password reset functionality for the users in the case of a forgotten password.
这是当前正在执行的过程:
This is the process that is currently in place:
步骤1 :用户点击网站上的忘记密码"链接.
第2步:将用户带到表单,并在发送电子邮件之前两次输入电子邮件地址.
第3步:电子邮件中包含指向另一种表单的链接,用户可以在其中输入两次新密码以进行确认.输入第二种形式后,系统将新记录插入到数据库的Recover_Password表中,该数据库包含"id","token","created_at"和"expires_at"列.
这是链接->(mywebsitename).com/form?id = 99999& token =
其中"id"是用户的ID,"token"是从do_hash($id . date('Y-m-d'))生成的
第4步:用户填写表格并进入登录页面.系统从数据库中清除令牌记录,并从用户表中更新用户的当前密码.
Step 1: User clicks on "Forgot Password" link on the website.
Step 2: User is brought to form and enters email address twice before being sent email.
Step 3: Email contains link to another form where the user can enter a new password twice for confirmation. Upon entering the second form, the system inserts a new record into my Recover_Password table in a database which contains the columns "id", "token", "created_at", and "expires_at".
This is the link -> (mywebsitename).com/form?id=99999&token=
Where "id" is the user's id and "token" is generated from do_hash($id . date('Y-m-d'))
Step 4: User completes form and is brought to the login page. The system clears the token record from the database and updates the user's current password from the user table.
我还想知道如果用户尝试以第二种形式刷新浏览器页面时该怎么办.我目前仅允许在get参数中包含id和token值并且它们都存在于数据库中的情况下访问页面.
Also I want to know what to do if the user tries refreshing the browser page when they are at the second form. I am currently only allowing access to the page if there is an id and a token value in the get parameters and that they both exist in the database.
我正在整个网站上使用Codeigniter,并且需要知道这样做是否安全,以及如何处理令牌和数据库.谢谢!!
I am using Codeigniter for the entire website and need to kow if this is a secure way of doing this and also how I should handle the token and the database. Thank you!!
推荐答案
处理密码重置的安全方法如下:
A secure way to handle password-resets could look like this:
密码重置请求:
-
用户打开密码重置请求表单并输入电子邮件地址(无需输入两次,只需进行语法验证即可.)
User opens password-reset request form and enters the email address (no need to enter it twice, just make a syntax validation).
您的应用程序检查电子邮件是否存在于您的数据库中.如果存在,它将创建一个令牌,该令牌应该是随机的,不能从诸如userid或timestamp之类的信息中得出. 令牌的哈希将与用户ID和到期日期一起存储在数据库的单独表中.通过电子邮件将带有令牌的链接发送给用户.
Your application checks whether the email exists in your database. If it exists it creates a token, which should be random and not derrived from informations like userid or timestamp. A hash of the token will be stored in the database in a separate table, together with the userid and an expiry date. A link with the token is sent to the user per email.
密码重置:
Password reset:
-
用户单击链接并打开重置表单.在此表格上,他可以输入两次新密码.该令牌必须作为表单中的隐藏输入标签包含在内.
User clicks the link and opens the reset form. On this form he can enter the new password twice. The token has to be included as hidden input tag in the form.
提交表单后,应用程序将检查他的令牌.如果匹配但尚未过期,则可以更改密码,并且可以直接登录用户(然后可以为他保留登录表单).最后,应该停用令牌,我本人更喜欢保留该条目,因此当他再次单击链接时,我可以通知用户该令牌已被使用.
After submitting the form, the application checks he token. If it matches and has not expired, the password can be changed and the user can be logged in directly (you can spare him the login form then). At last the token should be deactivated, i myself prefer to keep the entry, so i can inform the user that the token was already used, when he clicks the link again.
您将遇到的一个问题是,您必须在数据库中找到令牌的哈希.有两种可能的方式来存储令牌:
One problem you will encounter is, that you have to find the hash of the token in the database. There are two possible ways to store the token:
-
您可以使用SHA512之类的哈希算法对令牌进行哈希处理,而不添加盐.如果令牌非常强大(最小长度为20,且0-9 a-z A-Z),则这是安全的.从理论上讲,您必须先检查此类哈希是否已经存在,然后再将其输入数据库,实际上这是可以忽略的.我实现了一个密码重置类,它可以处理此类令牌.
You hash the token with a hash algorithm like SHA512 without a salt. This is secure if the token is very strong (minimum length 20 with 0-9 a-z A-Z). Theoretically you have to check whether such a hash already exists before you enter it in the database, in practise this is negligible. I implemented a password-reset class that can handle such tokens.
您用BCrypt和salt哈希令牌.这允许使用较短的令牌,但是您无法在数据库中搜索哈希令牌.相反,您必须在链接中包含一个row-id才能找到令牌.
You hash the token with BCrypt and salt. This allows for shorter tokens, but you cannot search for the hashed token in the database. Instead you have to include a row-id in the link to find the token.
这篇关于如何以安全的方式提供密码重置功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
