忘记密码页面,但密码被散列 [英] Forgot password page, but passwords are hashed

查看:156
本文介绍了忘记密码页面,但密码被散列的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要实现一个忘记密码页面,但我的密码被腌制&散列。所以我无法按照惯例检索它们。我的想法是做到以下几点:


  • 当用户点击忘记$ b $密码链接时,他们自然需要
    键入他们的电子邮件地址(也就是
    也是他们的用户名)。

  • 他们的密码重置为散列
    &安培;我做的腌制密码。然后,我发送
    给他们一封电子邮件,其中包含一个
    链接到一个新页面,他们可以在
    中键入他们的新密码。


  • 链接包含新的哈希&
    密码(作为$ _GET变量),
    仅用于身份验证。


  • 我只是从$ _GET变量中获取链接,对数据库中的条目进行身份验证以及哈希&盐新的密码,并插入到数据库。




这有多安全?对于不容易成为垃圾邮件制造者和暴力攻击者的目标站点。



预先感谢。

解决方案

这听起来不错;然而,在一个更经常访问的网站上提供完整的安全性时,需要考虑一个稍微不同的方法:


  • 电子邮件地址照常

  • 使用随机生成的密码填写第二密码字段

    / li>
  • 填写第二个密码生成日期和时间的附加列

  • 如果用户不' t在24小时内作出反应(即使用新密码登录),从第二栏删除密码


带有新密码的电子邮件,向用户解释如果他们没有要求新密码,他们可以忽略它。



这样,第三个一方输入用户的电子邮件地址不能通过完全重置密码来阻止用户从他们自己的帐户中。

I need to implement a Forgot Password page, but my passwords are salted & hashed. So I can't retrieve them conventionally. My idea was to do the following:

  • When an user clicks the Forgot Password link, they naturally need to type in their email address (which is also their username).

  • Their password gets reset to a hashed & salted password i made. Then, i send an email to them which contains a link to a new page where they can type in their new password.

  • The link contains the new hashed & salted password (as a $_GET variable) which is just for authentication purposes.

  • I just grab the $_GET variable from the link, authenticate against entry in DB and hash & salt new password and insert into db.

How safe is this? For a site that won't easily be targeted by spammers and brute force attackers.

Thanks in advance.

解决方案

This sounds fine; for total security on a more frequented site however, a slightly different method would be worth considering:

  • Have the user type in their E-Mail address as usual

  • Populate a second password field with the random password you build and send out

  • Populate an additional column with the date and time the second password was generated

  • If the user doesn't react (i.e. log in with the new password) within 24 hours, remove the password from the second column

In the E-Mail with the new password, explain to the user that if they didn't request the new password, they can just ignore it.

This way, a third party entering a user's E-Mail address can't block a user from their own account by resetting the password completely.

这篇关于忘记密码页面,但密码被散列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆