2

我想知道当用户请求为不存在的电子邮件重置密码时,最好的行为是什么。

上下文:用户未登录。他们只需输入电子邮件并点击重置按钮。

  1. 如果我立即告诉请求重置的用户该帐户不存在,这既是一个安全漏洞,也是一个隐私问题。
  2. 如果我什么都不做,这是一个无辜的错误(他们认为他们有一个帐户),他们会想知道到底发生了什么。最神秘的选择,最不容易被滥用。
  3. 我可以发送一封电子邮件,说明已请求重置密码但没有帐户(应该忽略等等等等)。这似乎是最不有害的,但它有点受到滥用。

更新:进一步考虑,我真的不知道1有什么大不了的,因为他们可以通过简单地尝试注册/使用相同的电子邮件来获得相同的信息......除非我错过了什么......

4

4 回答 4

2

I personally would go this way:

  1. User enters e-mail address.
  2. Screen says "request will be processed, e-mail has been send" or something along those lines.
  3. If there is no account linked with this e-mail address: don't send a mail, but don't tell the guy requesting.
  4. If there is an account linked with this e-mail: send the reset e-mail including the usual "if this wasn't you simply ignore this mail, if you suspect abuse please contact $foobar"-message.

Here is why i would NOT tell anyone whether an account is linked with this e-mail address: Privacy. If you told everyone, everyone could check if $person is using $service.

Figured i would include why i wouldn't send a mail if there was no such user: Why should i? The user will probably either know which email address he used or try several at once (or only wait a short time span). Of course there are cases in which it would be a bit more userfriendly if one would send those mails, but they aren't important enough to negate the abuse potential. There is not much abuse potential if only one website does that stuff (as long as they wouldn't send multiple mails in a short timespan), but imagine every webservice going this way. You would just have to collect a few of those services and then emailbomb someone 'you' dislike, without hitting any spamfilter!

于 2012-04-09T22:31:38.853 回答
0

就个人而言,我很喜欢:

  • 用户输入电子邮件。
  • 无论电子邮件是否存在,都说它已被请求,如果您没有很快收到电子邮件,请重试或联系我们。
  • 在电子邮件中,说明已提交密码请求,如果不是用户,则忽略该电子邮件。

还,

  • 如果您担心机器人会在您的网站上抓取电子邮件,请添加验证码。
  • 如果您担心有人入侵帐户,请添加第二层以提示您提供秘密问题答案。
于 2012-04-09T21:04:18.707 回答
0

在我看来,第三种选择是用户友好性和安全性之间的最佳折衷。选项 1 似乎是一个很大的隐私问题。使用选项 2,用户无法知道他是否有帐户,但使用另一个电子邮件地址注册,或者重置系统是否不起作用。

于 2012-04-09T21:10:23.043 回答
0

我会做这样的事情

  • 询问用户名或电子邮件
  • 如果该电子邮件或用户名存在,请将所有电子邮件连同重置密码一起发送给此人。

完成的 :)

于 2012-04-09T22:40:25.307 回答