如何安全地检索已添加用户的密码?

huangapple go评论77阅读模式
英文:

How to securely retrieve a password of an added user?

问题

我正在开发一个Flask应用程序,其中用户由管理员预先注册,因此我使用Flask管理面板,管理员可以对各种表格执行CRUD操作,包括“用户”表格。在添加新用户时,程序会生成一个密码,对其进行哈希处理,并将其存储在数据库中。问题是如何为管理员检索此已添加用户帐户的实际密码,以便他们可以进一步与用户共享以进行登录。

我考虑了一些选项,但不确定哪种方法最好:

  1. 直接在页面上显示密码。

  2. 向管理员发送包含密码的电子邮件。

  3. 发送带有附加加密文件的电子邮件,其中包含密码(在这种情况下,网站应该以某种方式发送/显示解密密码给管理员)。

那么哪种选项(当然,如果您认为它们比提到的更好,您可以提出其他选项)既安全又方便?

英文:

I’m developing a flask app where users are preregistered by admins, so I use flask admin panel where an admin can perform CRUD operations on various tables, including the "user" table. When adding a new user, the program generates a password, hashes it, and stores it in the database. The question is how to retrieve the actual password of this added user account for the admin so they could further share it with the user for login.

I considered a few options but I'm not sure which one would be the best approach:

  1. Display the password directly on the page.

  2. Send email to an admin with the password.

  3. Send email with the attached encrypted file which contains a password (in this case a website should somehow send/show the decryption password for admin).

So which option (of course you can suggest other, if you consider they're better than mentioned) would be both secure and convenient?

答案1

得分: 1

不要将密码明文发送给用户或管理员,也不要在屏幕上显示密码。最佳做法是在生成帐户时默认禁用登录。生成一个随机的哈希字符串,将其发送给用户作为OTP,或者发送重置密码链接并附带一些确认代码。当用户点击链接或验证OTP时,将其引导至设置密码页面。一旦这个强制密码更改成功完成,就可以启用用户帐户并允许登录。

英文:

Do not send password in clear text to user or admin or display it on screen. The best practice is to disable the login by default when account is generated. Generate a random hashed string and send it to user as OTP or send reset password link with some confirmation code. When user clicks on the link or validates the OTP, send him/her to set password page. Once this forced password change is done successfully, user account can be enabled and login can be allowed.

huangapple
  • 本文由 发表于 2023年6月16日 14:38:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/76487525.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定