重置忘记的用户密码的最佳实践 [英] Best practice for resetting forgotten user passwords
问题描述
据我所知,有两种合理的方式来重置用户的忘记密码.
As far as I can think, there are two reasonable ways to reset a user's forgotten password.
-
让用户输入他们的电子邮件地址,并将新的纯文本密码发送到他们的电子邮件地址.
Have the user enter their email address and a new plaintext password is sent to their email address.
会将链接发送到其电子邮件地址,该电子邮件地址的URL中具有UID号.单击此按钮会将用户带到网站上的表单,他们可以在其中选择自己的新密码.
A link is sent to their email address which has a UID number in the URL. Clicking on this takes the user to a form on the website where they can choose there own new password.
哪种方法更可取,为什么?
Which method is preferable and why?
如果使用方法1,则也许第三方可以阅读电子邮件并获取新密码. 如果使用方法2,是什么让某人有条不紊地阻止用户通过UID代码尝试访问该表单以更改用户密码?
If method 1 is used, perhaps a third party could read the email and obtain the new password. If method 2 is used, what is to stop someone methodically going through UID codes to try and access the form to change a user's password?
推荐答案
最好的模式是:
-
用户请求重设密码.最好是通过用户名来做到这一点,并且 不要指出用户名是否存在(以避免可能) 用户通过脚本列出)
User requests password reset. Best is to do it through username, and don't indicate if the username exists or not (to avoid possible users listing through a script)
您将在新数据库表中使用用户ID datetime生成一条记录 的请求(=当前日期时间),以及您刚生成的GUID
You generate a record in a new database table with userid, datetime of request (= current datetime), and a GUID you just generated
您向用户发送了一封邮件,指向带有以下内容的密码重置页面: GUID(而非用户ID)作为参数
You send a mail to the user, pointing to password reset page with the GUID (not the userid) as parameter
在此页面上,您应检查GUID是否存在,以及 最终您可以输入一些截止日期(=用户有1天的时间 进行重置),例如
On this page, you should check that the GUID is existing, and eventually you could put some expiration date (=the user has 1 day to reset, for example)
不要忘记将记录标记为已使用"(在 表格),当用户重设密码时,您就可以停止 最终第二次尝试...
Don't forget to mark the record as "used" (with an extra field in the table) when the user reset his password, so that you can stop an eventual second try...
它可能甚至更安全,但是我认为那已经相当不错了.
It could possibly even more secure, but that is already quite good I think....
这篇关于重置忘记的用户密码的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
