Which strategy is the best for recoving password. Email the user a link to create a new password, overriding the current one? or Email the user a randomly generated password, then ask them to change it?
1条回答 默认 最新
duanjianlu0506 2015-09-23 22:23关注The first one.
Create a form to get the user's email address.
If the user does not exist in your system, send an email to that address saying "someone tried to reset your password but it's not in our system".
If the user does exist in your system, create a link back to your site, and email the user that link. They click the link in the email and return to your site.
The link should look like this:
https://example.com/reset-password?email=$usersEmail&hmac=$hmacOfTheirEmailConfirm that the email has not been tampered with by checking the HMAC.
To avoid user enumeration, return the same response from the form whether or not their email exists in your system.
Depending on your level of security...
- Log the user in
- Ask them one or more security questions
- Do multi-factor authentication
Then force the user to change their password
Some other answers/sites recommend storing tokens in the database. Ask Mozilla how that went.
You could add some other parameters to that link such as expiry time and IP address. Make sure you include those in the HMAC too.
To prevent replay attacks, include a hash of the user's old (and forgotten) password in the link.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2015-09-23 22:12回答 1 已采纳 The first one. Create a form to get the user's email address. If the user does not exist in your
- 2017-02-08 18:11回答 1 已采纳 You should never encrypt passwords, you should only hash them. Encryption implies that you can dec
- 2022-03-30 12:18回答 1 已采纳 1、这个得看你项目的加密方式是什么,一般不会是简单的md5。2、通过改代码的方式,在登录接口里,把验证码密码的注释掉,直接登录进后台,通过后台系统重新设置密码。
- 2021-01-20 00:27weixin_39825105的博客 mysql有时候忘记密码了怎么办?我给出案例和说明!一下就解决了!Windows下的实际操作如下1.关闭正在运行的MySQL。2.打开DOS窗口,转到mysql\bin目录。3.输入mysqld --skip-grant-tables回车。如果没有出现提示信息,那就...
- 2018-12-27 05:41回答 1 已采纳 From version 5.0, Laravel uses the function bcrypt() to hash passwords, you should use this. You
- 2022-07-28 15:17回答 1 已采纳 加一行不就完事了 <div class="fr righter"> <div class="title"> 忘记密码 d
- 2016-11-10 09:50回答 5 已采纳 if($result=$check__query )这句恒为真,所以总是登陆成功,改成 if($check__query) 就可以了
- 2021-04-22 00:08Tim Pan的博客 在phpmyadmin中密码设置分为三种模式,分别为:cookie授权模式 、config授权模式、http授权模式,下面我来介绍这三种模式的配置方法。《script》ec(2);《script》phpmyadmin大家可以官方下载,然后再在目录中修改...
- 2015-02-22 20:13回答 1 已采纳 Well here is your problem, you're using a single =, because of this $pass is being set, which will
- 2017-01-13 14:08回答 2 已采纳 You must call it with shell_exec method: $password = shell_exec('/usr/bin/doveadm pw -s SHA512-CR
- 2021-05-16 11:53回答 1 已采纳 <?php header("content-type:text/html;charset=utf-8"); function getPrime($num){ $s=""; for (
- 2021-04-24 00:41weixin_39978101的博客 《Mysql应用MySql登陆密码忘记及忘记密码的解决方案》要点:本文介绍了Mysql应用MySql登陆密码忘记及忘记密码的解决方案,希望对您有用。如果有疑问,可以联系我们。MYSQL入门方法一:MYSQL入门MySQL提供跳过访问...
- 2017-06-27 02:16回答 1 已采纳 maybe answered on How to use basic authorization in PHP curl so try from that: <?php $username
- 2018-10-29 19:40wyh0930的博客 前两天实现了一个通过邮箱找回密码的功能,今天来做一个总结: 首先,需要开启邮箱的IMAP/SMTP服务,我用的是QQ邮箱的,会获取一个IMAP/SMTP服务密码:如uudwdedzxbhmhjhb;在这个位置: 文件目录结构如下: ...
- 2021-01-20 02:28紫木祀水的博客 解决方法:1、首先打开命令行输入net stop mysql或者net stop mysql5命令关闭MySQL服务。2、打开MySQL安装路径,进入到bin目录中复制路径。3、打开命令行,输入cd E:\phpStudy\PHPTutorial\MySQL\bin回车4、输入...
- 没有解决我的问题, 去提问
悬赏问题
- ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
- ¥500 火焰左右视图、视差(基于双目相机)
- ¥100 set_link_state
- ¥15 虚幻5 UE美术毛发渲染
- ¥15 CVRP 图论 物流运输优化
- ¥15 Tableau online 嵌入ppt失败
- ¥100 支付宝网页转账系统不识别账号
- ¥15 基于单片机的靶位控制系统
- ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
- ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?