I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:
我想知道在网站上创建忘记密码功能的最佳方法是什么。我在那里看到了不少,这里有几个或组合:
- passphrase question / answer (1 or more)
- send email with new password
- on screen give new password
- confirmation through email: must click link to get new password
- page requiring user to enter a new password
密码问题/答案(1个或更多)
使用新密码发送电子邮件
在屏幕上给出新密码
通过电子邮件确认:必须单击链接以获取新密码
要求用户输入新密码的页面
What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.
您会在忘记密码功能中添加哪些组合或附加步骤?我想知道他们如何申请新密码以及他们最终如何获得密码。
I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.
我正在操作委托人,无法检索密码;必须提供/生成新密码。
Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?
编辑我喜欢Cory所说的关于如果用户名存在不显示的内容,但我想知道要显示什么。我认为问题的一半是用户忘记了他们使用的电子邮件地址,显示某种“不存在”的消息是有用的。有解决方案?
7 个解决方案
#1
- I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
- If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
我个人会发送一封电子邮件,其中包含一个短期页面的链接,可以让他们设置一个新密码。使页面名称成为某种UID。
如果这对您没有吸引力,那么向他们发送新密码并强制他们在首次访问时更改密码也会这样做。
Option 1 is far easier.
选项1更容易。
#2
A few important security concerns:
一些重要的安全问题:
- A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
- Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
密码短语问题/答案实际上会降低安全性,因为它通常会成为流程中最薄弱的环节。猜测某人的答案往往比密码更容易 - 特别是如果没有仔细选择问题。
假设电子邮件作为系统中的用户名运行(通常建议出于各种原因),对密码重置请求的响应不应指示是否找到了有效帐户。它应该简单地说明密码请求电子邮件已发送到提供的地址。为什么?指示电子邮件存在/不存在的响应允许黑客通过提交多个密码请求(通常通过诸如burp套件的HTTP代理)并且注意是否找到电子邮件来收集用户帐户的列表。为了防止登录收获,您必须确保没有登录/身份验证相关功能提供有关何时在登录/通过重置表单上输入有效用户的电子邮件的任何指示。
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
有关更多背景信息,请查看Web Application Hackers Handbook。这是创建安全身份验证模型的绝佳读物。
EDIT: Regarding the question in your edit - I'd suggest:
编辑:关于编辑中的问题 - 我建议:
"A password request email has been sent to the address you provided. If an email doesn't arrive shortly, please check your spam folder. If no email arrives, then no account exists with the email you provided."
“密码请求电子邮件已发送到您提供的地址。如果电子邮件不会很快到达,请检查您的垃圾邮件文件夹。如果没有收到电子邮件,则您提供的电子邮件中不存在任何帐户。”
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
在易用性和安全性之间进行了权衡。您必须根据上下文对此进行平衡 - 对您和您的用户来说,安全性是否足够重要,以证明这种不便之处?
#3
Send email with new password.
使用新密码发送电子邮件。
FORCE a password change when they arrive and key in the new password.
当密码到达时强制更改密码并输入新密码。
This ensures that the person who wanted the password will be the only only getting in to the account.
这确保了想要密码的人将是唯一进入该帐户的人。
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
如果电子邮件被嗅到,有人可以进入帐户(当然),但真正的一方会立即发现(因为他们发送的密码不起作用)。
Also send confirmations of password changes to the users.
还向用户发送密码更改确认。
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
如果有人获得了新密码,然后发送了一封电子邮件,上面写着“用于更改密码的密码”,那么他们会感到非常困惑,如果他们不这样做,他们会与管理员交谈。
#4
Using the email verification/password reset link will give you better security. If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
使用电子邮件验证/密码重置链接将为您提供更好的安全性。如果你环顾四周这是大多数网站如何做到这一点,人们已经习惯了这个验证,所以我建议使用这种类型的身份验证。
#5
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
我认为(gbrandt's)选项2如果与你已经为用户提供的一些个人信息结合起来将是一个很好的方法。即出生日期。
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
当用户通过输入他的电子邮件地址请求新密码(重置)时,他还必须在重置密码之前输入正确的出生日期(或其他内容),并通过电子邮件将新密码发送给用户。
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
只有那些认识他的人才可能通过重置他的密码来惹恼他!它不可能是一个陌生人或机器人
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
在5或7个错误的电子邮件地址和出生日期组合时,用户通过电子邮件发送他的密码已被请求重置并且由于凭证不正确而失败。然后,该帐户的密码重置将暂停24小时或任何所需的时间段。
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
(如果有太多用户联系webadmin关于此电子邮件,他会知道有人试图恶意获取您网站/应用程序中的信息)
What do you guys think?
你们有什么感想?
#6
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
选项1.不是一个好主意,因为一般来说他的其他人很容易猜到。 Sarah Palin的个人电子邮件(我认为雅虎)被第三方以这种方式攻击。
The other options are better and previous posts have outlined the detail.
其他选项更好,之前的帖子概述了细节。
#7
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
我正在考虑的想法是在发送给用户的链接中签署数据。然后,当用户单击链接并且服务器接收到呼叫时,服务器也会获取加密部分并且可以验证数据是否未被触及。
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
我为这个用例实现了一个JAVA项目。它在GitHub上,开源。它完美地回答了你的问题...用Java实现。
As for the link in the email - it generates the link, plus validates it upon usage.
至于电子邮件中的链接 - 它会生成链接,并在使用时对其进行验证。
There are explanation for everything (and if something is missing - let me know...)
一切都有解释(如果缺少某些东西 - 请告诉我......)
Have a look: https://github.com/OhadR/Authentication-Flows
看看:https://github.com/OhadR/Authentication-Flows
See a Demo here.
在这里看一个演示。
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows
这是使用auth-flow的客户端Web应用程序,README包含所有解释。它指导您实施:https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows
#1
- I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
- If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.
我个人会发送一封电子邮件,其中包含一个短期页面的链接,可以让他们设置一个新密码。使页面名称成为某种UID。
如果这对您没有吸引力,那么向他们发送新密码并强制他们在首次访问时更改密码也会这样做。
Option 1 is far easier.
选项1更容易。
#2
A few important security concerns:
一些重要的安全问题:
- A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
- Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.
密码短语问题/答案实际上会降低安全性,因为它通常会成为流程中最薄弱的环节。猜测某人的答案往往比密码更容易 - 特别是如果没有仔细选择问题。
假设电子邮件作为系统中的用户名运行(通常建议出于各种原因),对密码重置请求的响应不应指示是否找到了有效帐户。它应该简单地说明密码请求电子邮件已发送到提供的地址。为什么?指示电子邮件存在/不存在的响应允许黑客通过提交多个密码请求(通常通过诸如burp套件的HTTP代理)并且注意是否找到电子邮件来收集用户帐户的列表。为了防止登录收获,您必须确保没有登录/身份验证相关功能提供有关何时在登录/通过重置表单上输入有效用户的电子邮件的任何指示。
For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.
有关更多背景信息,请查看Web Application Hackers Handbook。这是创建安全身份验证模型的绝佳读物。
EDIT: Regarding the question in your edit - I'd suggest:
编辑:关于编辑中的问题 - 我建议:
"A password request email has been sent to the address you provided. If an email doesn't arrive shortly, please check your spam folder. If no email arrives, then no account exists with the email you provided."
“密码请求电子邮件已发送到您提供的地址。如果电子邮件不会很快到达,请检查您的垃圾邮件文件夹。如果没有收到电子邮件,则您提供的电子邮件中不存在任何帐户。”
There's a trade-off being made here between ease of use and security. You have to balance this based on context - is security important enough to you and your users to justify this inconvenience?
在易用性和安全性之间进行了权衡。您必须根据上下文对此进行平衡 - 对您和您的用户来说,安全性是否足够重要,以证明这种不便之处?
#3
Send email with new password.
使用新密码发送电子邮件。
FORCE a password change when they arrive and key in the new password.
当密码到达时强制更改密码并输入新密码。
This ensures that the person who wanted the password will be the only only getting in to the account.
这确保了想要密码的人将是唯一进入该帐户的人。
If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).
如果电子邮件被嗅到,有人可以进入帐户(当然),但真正的一方会立即发现(因为他们发送的密码不起作用)。
Also send confirmations of password changes to the users.
还向用户发送密码更改确认。
If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.
如果有人获得了新密码,然后发送了一封电子邮件,上面写着“用于更改密码的密码”,那么他们会感到非常困惑,如果他们不这样做,他们会与管理员交谈。
#4
Using the email verification/password reset link will give you better security. If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.
使用电子邮件验证/密码重置链接将为您提供更好的安全性。如果你环顾四周这是大多数网站如何做到这一点,人们已经习惯了这个验证,所以我建议使用这种类型的身份验证。
#5
I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.
我认为(gbrandt's)选项2如果与你已经为用户提供的一些个人信息结合起来将是一个很好的方法。即出生日期。
When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.
当用户通过输入他的电子邮件地址请求新密码(重置)时,他还必须在重置密码之前输入正确的出生日期(或其他内容),并通过电子邮件将新密码发送给用户。
Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot
只有那些认识他的人才可能通过重置他的密码来惹恼他!它不可能是一个陌生人或机器人
Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.
在5或7个错误的电子邮件地址和出生日期组合时,用户通过电子邮件发送他的密码已被请求重置并且由于凭证不正确而失败。然后,该帐户的密码重置将暂停24小时或任何所需的时间段。
(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)
(如果有太多用户联系webadmin关于此电子邮件,他会知道有人试图恶意获取您网站/应用程序中的信息)
What do you guys think?
你们有什么感想?
#6
Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.
选项1.不是一个好主意,因为一般来说他的其他人很容易猜到。 Sarah Palin的个人电子邮件(我认为雅虎)被第三方以这种方式攻击。
The other options are better and previous posts have outlined the detail.
其他选项更好,之前的帖子概述了细节。
#7
The idea I was thinking about was to sign the data in the link that is sent to the user. Then, when the user clicks the link and the server receives the call, the server also gets the encrypted part and can validate that the data was untouched.
我正在考虑的想法是在发送给用户的链接中签署数据。然后,当用户单击链接并且服务器接收到呼叫时,服务器也会获取加密部分并且可以验证数据是否未被触及。
I have implemented a JAVA project for this use case. It is on GitHub, open source. It answers your question perfectly... implemented in Java.
我为这个用例实现了一个JAVA项目。它在GitHub上,开源。它完美地回答了你的问题...用Java实现。
As for the link in the email - it generates the link, plus validates it upon usage.
至于电子邮件中的链接 - 它会生成链接,并在使用时对其进行验证。
There are explanation for everything (and if something is missing - let me know...)
一切都有解释(如果缺少某些东西 - 请告诉我......)
Have a look: https://github.com/OhadR/Authentication-Flows
看看:https://github.com/OhadR/Authentication-Flows
See a Demo here.
在这里看一个演示。
This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows
这是使用auth-flow的客户端Web应用程序,README包含所有解释。它指导您实施:https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows