Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

authentication - Forgot Password: what is the best method of implementing a forgot password function?

I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:

  • passphrase question / answer (1 or more)
  • send email with new password
  • on screen give new password
  • confirmation through email: must click link to get new password
  • page requiring user to enter a new password

What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.

I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.

Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?

Question&Answers:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
  1. I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
  2. If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.

Option 1 is far easier.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...