[英]Password Recovery without sending password via email
So, I've been playing with asp:PasswordRecovery
and discovered I really don't like it, for several reasons: 所以,我一直在玩
asp:PasswordRecovery
并发现我真的不喜欢它,原因有以下几点:
1) Alice's password can be reset even without having access to Alice's email. 1)即使无法访问Alice的电子邮件,也可以重置Alice的密码。 A security question for password resets mitigates this, but does not really satisfy me.
密码重置的安全问题可以缓解这一问题,但并不能让我满意。
2) Alice's new password is sent back to her in cleartext. 2)Alice的新密码以明文形式发回给她。 I would rather send her a special link to my page (eg a page like example.com/recovery.aspx?P=lfaj0831uefjc), which would let her change her password.
我想向她发送一个特殊链接到我的页面(例如像example.com/recovery.aspx?P=lfaj0831uefjc这样的页面),这会让她更改她的密码。
I imagine I could do this myself by creating some sort of table of expiring password recovery pages and sending those pages to users who asked for a reset. 我想我可以通过创建某种过期密码恢复页面表并将这些页面发送给要求重置的用户来自行完成。 Somehow those pages could also change user passwords behind the scenes (eg by resetting them manually and then using the text of the new password to change the password, since a password cannot be changed without knowing the old one).
不知何故,这些页面也可以在幕后更改用户密码(例如,通过手动重置它们然后使用新密码的文本来更改密码,因为密码在不知道旧密码的情况下无法更改)。 I'm sure others have had this problem before and that kind of solution strikes me as a little hacky.
我确定其他人之前遇到过这个问题,这种解决方案让我觉得有点笨拙。 Is there a better way to do this?
有一个更好的方法吗?
An ideal solution does not violate encapsulation by accessing the database directly but instead uses the existing stored procedures within the database...though that may not be possible. 理想的解决方案不会通过直接访问数据库来违反封装,而是使用数据库中的现有存储过程......尽管这可能是不可能的。
I'm currently implementing an open source user management system on top of Spring + SpringSecurity, and here's how I'm addressing the lost password problem. 我目前正在Spring + SpringSecurity之上实现一个开源用户管理系统 ,这就是我如何解决丢失的密码问题。
This avoids sending a password (in clear) in an email message. 这样可以避免在电子邮件中发送密码(明文)。 And it also protects against one person resetting another person's password just to be a nuisance, because the password reset only takes place after the link has been used.
并且它还可以防止一个人重置另一个人的密码只是为了讨厌,因为密码重置只发生在链接使用后。
But it does rely on the user's email account being secure, and in the email not being snooped while in transit. 但它确实依赖于用户的电子邮件帐户是安全的,并且在电子邮件中不会在传输过程中被窥探。 For some applications, this maybe an unacceptable risk.
对于某些应用,这可能是不可接受的风险。
Another piece of the equation is that you need to be really careful about changing a user's registered email addresses. 另一方面是您需要非常小心地更改用户的注册电子邮件地址。 At the very least, the user must enter their current password with the request to change address ... to prevent against hacking via unattended login sessions.
至少,用户必须输入他们当前的密码以及更改地址的请求...以防止通过无人参与的登录会话进行黑客攻击。
I recommend adding an additional level of checking, here are some options to choose from. 我建议添加额外的检查级别,以下是一些可供选择的选项。
In general I am totally against ever sending a password in Email, so I like the password reset link option more than a new plain-text password. 一般来说,我完全反对在电子邮件中发送密码,所以我更喜欢密码重置链接选项而不是新的纯文本密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.