安全密码重置，无需发送电子邮件 [英] Secure password reset without sending an e-mail

问题描述

如何在不向用户发送电子邮件的情况下实现安全的密码重置功能?我存储了另一安全信息，只有用户应该知道，但是仅仅因为用户知道9位数字而让用户更新密码似乎是不安全的.

How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.

请注意，由于我正在使用的服务器上的实际数据库用户受到限制，因此用户数据存储在简单的SQL表中.

Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.

任何输入将不胜感激.

更新:
在尝试使用OpenID并记住该服务器不允许PHP(以及cURL)发出任何外部请求之后，我尝试再次使用PHP发送邮件.显然，我以前在该服务器上使用mail()的所有糟糕经历都消失了.

Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.

感谢您的所有输入，以后我可能会再次查看OpenID.

Thanks for all of your input, I may look into OpenID again in the future.

推荐答案

输入密码问题.切换到OpenID.您不必担心密码重置，并且用户只需要一个新密码即可.

Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.

这是双赢的.

这篇关于安全密码重置，无需发送电子邮件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！