为密码重置生成密码 [英] Generate secret code for password reset

问题描述

我正在做一个允许用户重置密码的模块。我注意到大多数网站他们提供的确认链接包含具有唯一散列的查询字符串。

用户请求忘记密码？我应该将此散列存储在数据库中，并在稍后使用它进行验证？它会安全吗？或者我应该创建一些生成一次性密码的算法？如何生成OTP？

解决方案

是的，您应该

1. 生成随机重置令牌。见例如
2. 将数据存储在数据库中（可能有失效时间）


3. 发送e-
   
4. 用户使用查询字符串中的重置令牌访问重置密码页面。


5. 检查数据库以使用重置令牌请参阅与重置令牌关联的用户，以及过期时间是否已过。 如果所有内容都检出，则允许用户重置密码并从数据库中删除重置令牌。

重置令牌的生成（或任何您想调用它的位置）似乎有很多混淆。请阅读我已经链接到的答案，并且不要用哈希和弱种子重新发明轮子。

I'm doing a module which allow users to reset password. I noticed how most websites they provide a confirmation link which contain query string that has a unique hash.

My question is: How can I generate this unique hash each time the same user request forgot password? Should I store this hash in database and use it for verification later on? Will it be safe? Or should I create some sort of algorithm which generate one-time password? How can I generate a OTP?

解决方案

Yes, you should

1. Generate a random reset token. See e.g. this answer.
2. Store it in the database (possibly with an expiry time)
3. Send e-mail to the user with the reset token.
4. User visits the reset password page with the reset token in the query string.
5. Check the database to see the user associated with the reset token and if the expiry time hasn't passed.
6. If everything checks out, allow the user to reset the password and delete the reset token from the database.

There seems to be a lot a confusion about the generation of the reset token (or whatever you want to call it). Please read the answer I've linked to and don't reinvent the wheel with hashes and weak seeds.

这篇关于为密码重置生成密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！