简体   繁体   English

密码恢复无需通过电子邮件发送密码

[英]Password Recovery without sending password via email

So, I've been playing with asp:PasswordRecovery and discovered I really don't like it, for several reasons: 所以,我一直在玩asp:PasswordRecovery并发现我真的不喜欢它,原因有以下几点:

1) Alice's password can be reset even without having access to Alice's email. 1)即使无法访问Alice的电子邮件,也可以重置Alice的密码。 A security question for password resets mitigates this, but does not really satisfy me. 密码重置的安全问题可以缓解这一问题,但并不能让我满意。

2) Alice's new password is sent back to her in cleartext. 2)Alice的新密码以明文形式发回给她。 I would rather send her a special link to my page (eg a page like example.com/recovery.aspx?P=lfaj0831uefjc), which would let her change her password. 我想向她发送一个特殊链接到我的页面(例如像example.com/recovery.aspx?P=lfaj0831uefjc这样的页面),这会让她更改她的密码。

I imagine I could do this myself by creating some sort of table of expiring password recovery pages and sending those pages to users who asked for a reset. 我想我可以通过创建某种过期密码恢复页面表并将这些页面发送给要求重置的用户来自行完成。 Somehow those pages could also change user passwords behind the scenes (eg by resetting them manually and then using the text of the new password to change the password, since a password cannot be changed without knowing the old one). 不知何故,这些页面也可以在幕后更改用户密码(例如,通过手动重置它们然后使用新密码的文本来更改密码,因为密码在不知道旧密码的情况下无法更改)。 I'm sure others have had this problem before and that kind of solution strikes me as a little hacky. 我确定其他人之前遇到过这个问题,这种解决方案让我觉得有点笨拙。 Is there a better way to do this? 有一个更好的方法吗?

An ideal solution does not violate encapsulation by accessing the database directly but instead uses the existing stored procedures within the database...though that may not be possible. 理想的解决方案不会通过直接访问数据库来违反封装,而是使用数据库中的现有存储过程......尽管这可能是不可能的。

I'm currently implementing an open source user management system on top of Spring + SpringSecurity, and here's how I'm addressing the lost password problem. 我目前正在Spring + SpringSecurity之上实现一个开源用户管理系统 ,这就是我如何解决丢失的密码问题。

  1. The user's account must have a preregistered email address. 用户的帐户必须具有预先注册的电子邮件地址。
  2. To request a reset, the user enters their account name into a form. 要请求重置,用户将其帐户名称输入表单。
  3. A temporary "reset code" is generated and attached to the account, and emailed to the user embedded in a hyperlink. 生成临时“重置代码”并将其附加到帐户,并通过电子邮件发送给嵌入在超链接中的用户。
  4. On receiving the email, the user clicks the link which takes them to a page to enter their new password. 收到电子邮件后,用户单击链接将其带到页面以输入新密码。
  5. Before accepting the new password, the reset code (from the link) is checked against the stored code, to make sure it is correct and that it hasn't expired. 在接受新密码之前,将根据存储的代码检查重置代码(来自链接),以确保它是正确的并且没有过期。

This avoids sending a password (in clear) in an email message. 这样可以避免在电子邮件中发送密码(明文)。 And it also protects against one person resetting another person's password just to be a nuisance, because the password reset only takes place after the link has been used. 并且它还可以防止一个人重置另一个人的密码只是为了讨厌,因为密码重置只发生在链接使用后。

But it does rely on the user's email account being secure, and in the email not being snooped while in transit. 但它确实依赖于用户的电子邮件帐户是安全的,并且在电子邮件中不会在传输过程中被窥探。 For some applications, this maybe an unacceptable risk. 对于某些应用,这可能是不可接受的风险。

Another piece of the equation is that you need to be really careful about changing a user's registered email addresses. 另一方面是您需要非常小心地更改用户的注册电子邮件地址。 At the very least, the user must enter their current password with the request to change address ... to prevent against hacking via unattended login sessions. 至少,用户必须输入他们当前的密码以及更改地址的请求...以防止通过无人参与的登录会话进行黑客攻击。

I recommend adding an additional level of checking, here are some options to choose from. 我建议添加额外的检查级别,以下是一些可供选择的选项。

  1. First you can save the requester's IP address in a database, then when they click the reset link compare that with the IP address of their current machine, if they match then reset the password. 首先,您可以将请求者的IP地址保存在数据库中,然后当他们单击重置链接时将其与当前计算机的IP地址进行比较,如果匹配则重置密码。 If the email is intercepted then the person attempting to reset the password must have a matching IP address. 如果电子邮件被截获,则尝试重置密码的人必须具有匹配的IP地址。
  2. Use a cookie and store a unique value, maybe a GUID, MD5 hash or something. 使用cookie并存储唯一值,可能是GUID,MD5哈希等。 So when the user makes a password reset request a cookie is stored on their machine and in the database, when the user clicks the link the local cookie must match the database value or they will not be able to reset their password. 因此,当用户进行密码重置请求时,cookie将存储在其计算机和数据库中,当用户单击该链接时,本地cookie必须与数据库值匹配,否则他们将无法重置其密码。

In general I am totally against ever sending a password in Email, so I like the password reset link option more than a new plain-text password. 一般来说,我完全反对在电子邮件中发送密码,所以我更喜欢密码重置链接选项而不是新的纯文本密码。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM