How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.
如何在不向用户发送电子邮件的情况下实施安全密码重置功能?我存储了另一个安全的信息,只有用户应该知道,但让用户更新密码似乎是不安全的,因为他们知道一个9位数字。
Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.
请注意,由于我正在处理的服务器上的真实数据库用户的限制,用户数据存储在一个简单的SQL表中。
Any input would be appreciated.
任何输入将不胜感激。
Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.
更新:在尝试OpenID并记住此服务器不允许PHP(因此,cURL)发出任何外部请求后,我尝试再次使用PHP发送邮件。显然我之前在这台服务器上使用mail()的所有糟糕经历已经消失了。
Thanks for all of your input, I may look into OpenID again in the future.
感谢您的所有输入,我将来可能会再次考虑OpenID。
4 个解决方案
#1
Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.
解决密码问题。切换到OpenID。您不必担心密码重置,并且用户只需要一个新密码。
it's a win-win.
这是一个双赢的局面。
#2
Typically, identifying a user as being real on the internet requires an "opt in" model where the user "opts" to have their password reset, and an email is sent confirming that they either want it reset, or that is has been reset and what the new reset password is.
通常,在互联网上识别用户是真实的,需要“选择加入”模式,其中用户“选择”重置密码,并发送电子邮件确认他们要么重置,要么已经重置,新的重置密码是什么。
Really, the only reasonably safe alternatives are ones that use a similar method. Send an email, sms text message they must reply to, automated phone call where they have to punch in digits, etc.
实际上,唯一合理安全的替代品是使用类似方法的替代品。发送电子邮件,短信,他们必须回复,自动电话,他们必须打数字,等等。
The only method I can think of that doesn't use this system would be a security question. Banks often use these for additional verification when users log in or fail to log in correctly a number of times. They are sometimes also used as a "secret" code for retrieving a password, but even then, it is typically emailed to the user, not displayed on the page.
我能想到的唯一不使用此系统的方法是安全问题。当用户登录或无法正确登录多次时,银行通常会使用这些进行额外验证。它们有时也被用作检索密码的“秘密”代码,但即便如此,它通常通过电子邮件发送给用户,而不是显示在页面上。
#3
Without sending an email you are limiting yourself significantly. One of the benefits of sending a password reset code, or new password to someone's email address is you can rely on the assumption that they are the only person with access to their email account.
如果不发送电子邮件,您将大大限制自己。将密码重置代码或新密码发送到某人的电子邮件地址的好处之一是,您可以依赖于他们是唯一可以访问其电子邮件帐户的人。
That said, you could use a "Secret Question" scheme to allow someone to reset their password. When this person creates their account you need to capture their secret question and the answer. You would then prompt the user with this question, and only permit resets if they answer correctly.
也就是说,您可以使用“秘密问题”方案来允许某人重置密码。当此人创建他们的帐户时,您需要捕获他们的秘密问题和答案。然后,您将提示用户提出此问题,并且只有在他们正确回答时才允许重置。
I must warn you that this is not a very good method of securing their password from unauthorized access. For a good article read: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
我必须提醒您,这不是保护其密码免受未经授权访问的好方法。如需一篇好文章,请阅读:http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
#4
You have no way of knowing who is trying reset "Joe's" password. It could be Joe, or could be someone posing as Joe.
您无法知道谁正在尝试重置“Joe”的密码。它可能是乔,或者可能是扮成乔的人。
An alternative to sending an email is to either call one of Joe's phones with a one-time reset key or send an SMS message.
发送电子邮件的另一种方法是使用一次性重置密钥拨打Joe的一部电话或发送短信。
Calling Joe's phone with an audio message is easy with http://www.twilio.com/ But anyone might be able to pick up Joe's office phone. So usually you'd want an additional challenge before calling. Eg a secret question/answer. By using the phone and the secret q&a, you've made things tougher for the bad guys but still doable by Joe.
使用http://www.twilio.com/可以轻松地使用音频消息拨打Joe的电话但是任何人都可以拿起Joe的办公室电话。所以通常在打电话之前你还需要一个额外的挑战。例如一个秘密的问题/答案。通过使用手机和秘密问答,你已经让坏人变得更加艰难,但乔仍然可以做到。
Another idea is to send the reset message to someone that Joe trusts and who knows Joe. (Send either by email or by telephone / sms.) A variant of this is to send to an employee who knows Joe, eg his assigned salesrep, HR rep, etc.
另一个想法是将重置消息发送给Joe信任并且知道Joe的人。 (通过电子邮件或电话/短信发送。)此类型的变体是发送给知道Joe的员工,例如他指定的salesrep,HR rep等。
Use the post: Send a snail mail letter with the reset code in it. Would take a couple of days to get there, but theft of mail is a federal rap. See http://www.postalmethods.com/ If there are very bad possible negative outcomes, this can be a good solution.
使用帖子:发送带有重置代码的蜗牛邮件信件。可能需要几天才能到达那里,但邮件被盗是联邦说唱。请参阅http://www.postalmethods.com/如果可能出现非常糟糕的负面结果,这可能是一个很好的解决方案。
For any of the above, Joe would enter the information when he sets up the account.
对于上述任何一项,Joe会在设置帐户时输入信息。
Another pattern is to require Joe to call into a help desk and let a human interrogate him.
另一种模式是要求乔打电话到服务台,让人类询问他。
Bottom line is that no technique is perfect. See the twitter breakin story: http://www.technewsworld.com/story/67612.html?wlc=1247790901&wlc=1248238327
底线是没有技术是完美的。请参阅twitter breakin故事:http://www.technewsworld.com/story/67612.html?wlc = 1247790901&wlc = 1248238327
Last thought: don't forget about anti-phishing. Often done by enabling Joe to choose a picture that the site will show him when doing something important. The idea is that a phishing site won't be able to replicate the UI, thus raising Joe's suspicions that he may not have arrived at the right site.
最后想到:不要忘记反网络钓鱼。通常通过让乔选择一个图片,该网站将在做重要事情时向他展示。这个想法是网络钓鱼网站将无法复制用户界面,从而使乔怀疑他可能没有到达正确的网站。
#1
Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.
解决密码问题。切换到OpenID。您不必担心密码重置,并且用户只需要一个新密码。
it's a win-win.
这是一个双赢的局面。
#2
Typically, identifying a user as being real on the internet requires an "opt in" model where the user "opts" to have their password reset, and an email is sent confirming that they either want it reset, or that is has been reset and what the new reset password is.
通常,在互联网上识别用户是真实的,需要“选择加入”模式,其中用户“选择”重置密码,并发送电子邮件确认他们要么重置,要么已经重置,新的重置密码是什么。
Really, the only reasonably safe alternatives are ones that use a similar method. Send an email, sms text message they must reply to, automated phone call where they have to punch in digits, etc.
实际上,唯一合理安全的替代品是使用类似方法的替代品。发送电子邮件,短信,他们必须回复,自动电话,他们必须打数字,等等。
The only method I can think of that doesn't use this system would be a security question. Banks often use these for additional verification when users log in or fail to log in correctly a number of times. They are sometimes also used as a "secret" code for retrieving a password, but even then, it is typically emailed to the user, not displayed on the page.
我能想到的唯一不使用此系统的方法是安全问题。当用户登录或无法正确登录多次时,银行通常会使用这些进行额外验证。它们有时也被用作检索密码的“秘密”代码,但即便如此,它通常通过电子邮件发送给用户,而不是显示在页面上。
#3
Without sending an email you are limiting yourself significantly. One of the benefits of sending a password reset code, or new password to someone's email address is you can rely on the assumption that they are the only person with access to their email account.
如果不发送电子邮件,您将大大限制自己。将密码重置代码或新密码发送到某人的电子邮件地址的好处之一是,您可以依赖于他们是唯一可以访问其电子邮件帐户的人。
That said, you could use a "Secret Question" scheme to allow someone to reset their password. When this person creates their account you need to capture their secret question and the answer. You would then prompt the user with this question, and only permit resets if they answer correctly.
也就是说,您可以使用“秘密问题”方案来允许某人重置密码。当此人创建他们的帐户时,您需要捕获他们的秘密问题和答案。然后,您将提示用户提出此问题,并且只有在他们正确回答时才允许重置。
I must warn you that this is not a very good method of securing their password from unauthorized access. For a good article read: http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
我必须提醒您,这不是保护其密码免受未经授权访问的好方法。如需一篇好文章,请阅读:http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
#4
You have no way of knowing who is trying reset "Joe's" password. It could be Joe, or could be someone posing as Joe.
您无法知道谁正在尝试重置“Joe”的密码。它可能是乔,或者可能是扮成乔的人。
An alternative to sending an email is to either call one of Joe's phones with a one-time reset key or send an SMS message.
发送电子邮件的另一种方法是使用一次性重置密钥拨打Joe的一部电话或发送短信。
Calling Joe's phone with an audio message is easy with http://www.twilio.com/ But anyone might be able to pick up Joe's office phone. So usually you'd want an additional challenge before calling. Eg a secret question/answer. By using the phone and the secret q&a, you've made things tougher for the bad guys but still doable by Joe.
使用http://www.twilio.com/可以轻松地使用音频消息拨打Joe的电话但是任何人都可以拿起Joe的办公室电话。所以通常在打电话之前你还需要一个额外的挑战。例如一个秘密的问题/答案。通过使用手机和秘密问答,你已经让坏人变得更加艰难,但乔仍然可以做到。
Another idea is to send the reset message to someone that Joe trusts and who knows Joe. (Send either by email or by telephone / sms.) A variant of this is to send to an employee who knows Joe, eg his assigned salesrep, HR rep, etc.
另一个想法是将重置消息发送给Joe信任并且知道Joe的人。 (通过电子邮件或电话/短信发送。)此类型的变体是发送给知道Joe的员工,例如他指定的salesrep,HR rep等。
Use the post: Send a snail mail letter with the reset code in it. Would take a couple of days to get there, but theft of mail is a federal rap. See http://www.postalmethods.com/ If there are very bad possible negative outcomes, this can be a good solution.
使用帖子:发送带有重置代码的蜗牛邮件信件。可能需要几天才能到达那里,但邮件被盗是联邦说唱。请参阅http://www.postalmethods.com/如果可能出现非常糟糕的负面结果,这可能是一个很好的解决方案。
For any of the above, Joe would enter the information when he sets up the account.
对于上述任何一项,Joe会在设置帐户时输入信息。
Another pattern is to require Joe to call into a help desk and let a human interrogate him.
另一种模式是要求乔打电话到服务台,让人类询问他。
Bottom line is that no technique is perfect. See the twitter breakin story: http://www.technewsworld.com/story/67612.html?wlc=1247790901&wlc=1248238327
底线是没有技术是完美的。请参阅twitter breakin故事:http://www.technewsworld.com/story/67612.html?wlc = 1247790901&wlc = 1248238327
Last thought: don't forget about anti-phishing. Often done by enabling Joe to choose a picture that the site will show him when doing something important. The idea is that a phishing site won't be able to replicate the UI, thus raising Joe's suspicions that he may not have arrived at the right site.
最后想到:不要忘记反网络钓鱼。通常通过让乔选择一个图片,该网站将在做重要事情时向他展示。这个想法是网络钓鱼网站将无法复制用户界面,从而使乔怀疑他可能没有到达正确的网站。