验证密码确认和后端的密码是否不必要?
[英]Is validating password confirmation and the password in the backend unnecessary?
问题描述
I'm thinking if it is necessary to even ask the user to re-enter the password?
我在想是否有必要要求用户重新输入密码? Anyway if I decide to have the user re-enter the password, is comparing client side good enough and does it pose any security risks, or should I compare server side?无论如何,如果我决定让用户重新输入密码,比较客户端是否足够好,是否会带来任何安全风险,还是应该比较服务器端?
3 个解决方案
解决方案1
0 2021-05-19 22:15:10
Client side is fine.客户端没问题。 The risks are the same as having a single password input field.风险与使用单个密码输入字段相同。
解决方案2
0 2021-05-19 22:15:20
The purpose of typing the password twice is just to catch typos, it serves no security purpose.输入两次密码的目的只是为了捕捉拼写错误,它没有任何安全目的。 So checking it in the client should generally be sufficient.因此,在客户端中检查它通常就足够了。 If the user disables this somehow, they're just hurting themselves, since they might submit an unintended password.如果用户以某种方式禁用此功能,他们只会伤害自己,因为他们可能会提交意外密码。
The only reason you might do it in the server as well is if you want to support users who disable JavaScript in the browser.您也可以在服务器中执行此操作的唯一原因是,如果您想支持在浏览器中禁用 JavaScript 的用户。
解决方案3
0 2021-05-19 22:16:20
It is not for security purpose.它不是出于安全目的。 As password input is secret (you only see ********), and the user cannot check its password, you can add a password confirmation so the user can confirm its password ie as a user I thought I wrote LOL875PASS but wrote LoL875PASS由于密码输入是保密的(您只能看到 ********),并且用户无法检查其密码,您可以添加密码确认,以便用户可以确认其密码,即作为用户我以为我写了 LOL875PASS 但是写了 LoL875PASS
Confirming password can bring this error to my eyes.确认密码可以让我看到这个错误。 You can pass this input by providing a "toggle" that shows password to the user您可以通过提供向用户显示密码的“切换”来传递此输入
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.