为什么我们要让帐户激活/密码重置链接在一段时间后过期? [英] Why should we make account activation/password reset links expire after some time?

问题描述

如果它们永不过期会不会有什么大问题?

Would there be any big issues if they never expire?

有人忘记了他的密码并要求重置他的密码，一封带有密码重置链接的电子邮件会发送给他.

Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.

然后他突然想起了他的密码，所以他只是忽略了密码重置电子邮件.但几天后，他又忘记了.由于他的邮箱中已有密码重置电子邮件，他只需点击该链接即可返回网站重置密码.

He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.

这看起来没问题，那么为什么我们要让帐户激活/密码重置链接在一段时间后过期?

This seems ok, so why should we make account activation/password reset links expire after some time?

推荐答案

如果他们的电子邮件帐户被盗怎么办.攻击者随后会看到所有这些密码重置"链接，并点击它们进一步破坏更多帐户.其中您的服务可能会使用真实货币或信用卡信息.

What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.

这篇关于为什么我们要让帐户激活/密码重置链接在一段时间后过期?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！