开发者

password recovery without saving user email

hey there. I'm developing a website and i want to have a password recovery system for the users who lost their password, but i don't want to save the user email address or any private data. i thought of saving a hash 开发者_运维知识库of the email address but if the db is compromised one could check if an email address is registered and which account it belongs to. do you have any ideas?


To protect against the DB being compromised and hashes extracted, just add some random (but constant string) to all email addresses before cashing. E.g. add "BLABLABLA" to turn "joe@example.com" into "joe@example.comBLABLABLA" before hashing. It's still not perfect, but now an attacker needs your DB, your application code, reverse engineer it, and know that that's what he needs to do in the first place (there is no hint in the DB that your application modifies the email address before hashing).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜