"Forgot password?" un drošība

[ArnisR]

Sveiki!

 

Kāds būtu drošākais mehānisms aizmirstas lietotāja paroles atjaunošanai WEB aplikācijā?

Vai tas būtu pareizi/pietiekami droši to realizēt bez speciālu hash'u glabāšanas datubāzē?

 

Paldies par diskusiju!

[aaxc]

Ko tev googles tante teica? Man viņa uzreiz par šo pastāstija.

[ArnisR]

Ko tev googles tante teica? Man viņa uzreiz par šo pastāstija.

 

Sorry, laikam nekorekti izteicos! Ar "paroles atjaunošana" nebija domāts atgūt veco parole, bet gan nomainīt to pret jaunu!

[daGrevis]

Uzģenerē linku ar tokenu, kuru aizsūti uz norādīto e-pastu (tokenam vari izmantot UUID-4).

 

Links ir derīgs tikai vienu reizi un tikai stundu.

[aaxc]

A uz kurieni tad es tevi aizsūtiju??

 

1.     When user asks to reset their password, make them enter their email address
2.     Don't indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.
3.     Generate a token (maybe hash a timestamp with a salt) and store it into the database in the user's record.
4.     Send an email to the user along with a link to your http*s* reset page (token and email address in the url).
5.     Use the token and email address to validate the user.
6.     Let them choose a new password, replacing the old one.
7.     Additionally, it's a good idea to expire those tokens after a certain time frame, usually 24 hours.
8.     Optionally, record how many "forgot" attempts have happened, and perhaps implement more complex functionality if people are requesting a ton of emails.
9.     Optionally, record (in a separate table) the IP address of the individual requesting the reset. Increment a count from that IP. If it ever reaches more than, say, 10... Ignore their future requests.

[Aleksejs]

How to build (and how not to build) a secure “remember me” feature

 

P.S. jā, es apzinos, ka "remember me" != "forgot password", taču abas tēmas ir savā ziņā saistītas un daži no antipatterniem ir līdzīgi.

[Kavacky]

Don't indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.

Useless bullshit tajos gadījumos, kad reģistrācijā prasa e-pastu un tad parāda, ka tāds jau ir aizņemts.