“忘记密码"实施的最佳方式? [英] Best way for a 'forgot password' implementation?

问题描述

我正在寻找实现忘记密码"功能的最佳方法.

I'm looking for the best method to implement a "forgot password" feature.

我有两个想法:

1. 当用户点击忘记密码时，用户需要输入用户名、电子邮件以及可能的出生日期或姓氏.然后将带有临时密码的邮件发送到用户电子邮件帐户.用户使用临时密码登录并重置密码.

1. When user click on forgot password, the user is required to key in the username, email and maybe date of birth or last name. Then a mail with temporary password will be sent to the user email account. The user uses the temporary password to login and resets his password.

类似，但电子邮件会包含一个链接，让用户重置密码.

Similar, but the email would contain a link to let the user reset his password.

或者任何人都可以建议我一个更好更安全的方法?我也在考虑发送临时密码或链接，强制用户在24小时内重置密码，否则临时密码或链接将无法使用.该怎么做?

Or anyone can suggest me a better and secure way? I'm also thinking to send the temporary password or link, force the user to reset the password within 24 hour, or else the temporary password or link will not be usable. How to do that?

推荐答案

更新:2013 年 5 月修订，以获得更好的方法

1. 用户输入他的用户名并点击忘记密码".我还建议选择输入电子邮件地址而不是用户名，因为有时也会忘记用户名.
2. 系统有一个表 password_change_requests，其中包含 ID、Time 和 UserID 列.当新用户按下按钮时，会在表中创建一条记录.Time 列包含用户按下忘记密码"按钮的时间.ID 是一个字符串.创建一个长的随机字符串(例如，一个 GUID)，然后像密码一样散列(这本身就是一个单独的主题).然后将此哈希用作表中的ID".
3. 系统会向用户发送一封电子邮件，其中包含一个链接.该链接还包含原始 ID 字符串(在散列之前).该链接将如下所示:http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF.forgotpassword.jsp 页面应该能够检索 ID 参数.抱歉，我不懂 Java，所以不能更具体.
4. 当用户点击电子邮件中的链接时，他会被移至您的页面.该页面从 URL 中检索 ID，再次对其进行哈希处理，然后对照表进行检查.如果存在这样的记录并且不超过 24 小时，则会提示用户输入新密码.
5. 用户输入一个新密码，点击确定，从此大家过上幸福的生活……直到下一次！

1. The user enters his username and hits "forgot password". I also recommend the option of entering the email address instead of the username, because usernames are sometimes forgotten too.
2. The system has a table password_change_requests with the columns ID, Time and UserID. When the new user presses the button, a record is created in the table. The Time column contains the time when the user pressed the "Forgot Password" button. The ID is a string. A long random string is created (say, a GUID) and then hashed like a password (which is a separate topic in and of itself). This hash is then used as the 'ID' in the table.
3. The system sends an email to the user which contains a link in it. The link also contains the original ID string (before the hashing). The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don't know Java, so I can't be more specific.
4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL, hashes it again, and checks against the table. If such a record is there and is no more than, say, 24 hours old, the user is presented with the prompt to enter a new password.
5. The user enters a new password, hits OK and everyone lives happily ever after... until next time!

这篇关于“忘记密码"实施的最佳方式?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！