忘记密码功能弹簧（密码撤销） [英] Forgot Password Feature Spring (Password Retreival)

问题描述

我正在构建一个涉及用户注册和登录的Web应用程序。我正在尝试实现一项功能，使用户能够在其注册的电子邮件地址中检索密码。因此，将发送一条消息以重新输入密码或仅在该电子邮件中提供密码。我正在使用spring，是否有任何教程/文章有人展示了这个实现的一个例子？所有答案将不胜感激。谢谢

I am building a web application which involves a user registering and logging in. I am trying to implement a feature that enables users to retrieve there password to their registered email address. So a message would be sent to re-type their password or just provide their password within that email. I am using spring, is there any tutorials/articles where someone shows an example of this being implemented? All answers would be appreciated. Thanks

推荐答案

基本上有两种方法。

1. 向他们发送一个过期的链接到一个页面，让他们更改他们的密码，最好在回答几个额外的安全问题，如母亲的婚前姓名，喜欢的颜色，狗的名字，第一位老师，......只有他们知道，并且他们在注册时已经告诉过你。您可以通过链接的到期和秘密问题的性质自行查看这是相当安全的。

1. Send them an expiring link to a page which lets them change their password, preferably after answering a couple of extra security questions such as mother's maiden name, favorite color, dog's name, first teacher, ... that only they would know, and that they have already told you when registering. You can see for yourself that this is reasonably secure, by the expiry of the link and the nature of the secret questions.

向他们发送自己的密码。这有各种各样的安全问题。首先，你不应该首先知道他们的密码：只有它的哈希值;否则，您的系统会受到一项重大的法律约束，称为不可否认性损失，您应该在去往附近之前与您的公司律师讨论。其次，拦截电子邮件的任何人都可以将密码用于他们自己的恶意目的，这再次使您对所有交易都具有可否认性，这基本上会让您破产。

Send them their own password. This has all sorts of security problems. For a start, you shouldn't even know their password in the first place: only a hash of it; otherwise your system is subject to a major legal constraint called loss of non-repudiability, which you should discuss with your corporate lawyers before going anywhere near. Second, anybody who intercepts the email can use the password for their own nefarious purposes, which again puts you into repudiability of all transactions, which basically sends you broke.

不要使用（2）： - |

Don't use (2) :-|

这篇关于忘记密码功能弹簧（密码撤销）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！