Best practice on generating reset password tokens

混江龙づ霸主 提交于 2019-12-03 03:59:06

问题


Any best practice on how a reset password token should be constructed? I'm thinking:

random 17 characters [a-zA-Z0-9] + a globally unique id + random 17 characters [a-zA-Z0-9].

Is there a better solution, or an industry standard on reset password tokens?


回答1:


There are some important points to consider.

  1. The code should be really random (read from MCRYPT_DEV_URANDOM), and should not be derrived from other user related information.
  2. Ideally the code is base62 encoded (A-Z a-z 0-9) to avoid problems with the Url.
  3. Store only a hash of the token in the database, otherwise an attacker with read access to the database can reset any account.

This leads to the problem that you have to find the hash of the token in the database, after the user clicked the link. There are two possible ways to store the token:

  • You hash the token with a hash algorithm like SHA512 without a salt. This is secure if the token is very strong (minimum length 20 with 0-9 a-z A-Z). Theoretically you have to check whether such a hash already exists before you enter it in the database, in practise this is negligible. I implemented a password-reset class that can handle such tokens.
  • You hash the token with BCrypt and salt. This allows for shorter tokens, but you cannot search for the hashed token in the database. Instead you have to include a row-id in the link to find the token.


来源:https://stackoverflow.com/questions/20013672/best-practice-on-generating-reset-password-tokens

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!