让服务器在注册时为用户随机生成密码而不是让用户键入自己的密码是否更安全?当然,这些密码将是bcrypt-ed。
我估计如果有人闯入您的网站数据库,检索到的密码在您的网站之外将无用,除非用户开始将您的随机生成的密码用于其他目的,我认为这是不可能的。
因此,您不必担心恶意用户使用被盗密码闯入用户的电子邮件,银行帐户或其他任何可能在网络上发布的内容,除非我遗漏了某些内容
是否存在与服务器生成的密码相关的风险?
抱歉英语不好。
答案 0 :(得分:2)
You shouldnt rely on randomness. The key is to never store passwords. You store hashes of passwords and the salts used to generate those. You should use a cryptographically safe hashing algorithm such as pbkdf2 or bcrypt. Take a look at this post.
What is your plan in regards to dealing out random passwords? Send it to the registered email address?
I believe many would prefer using their own passwords. Keep in mind that there people who do not use keystores (such as chromes password manager) could probably be desuaded from using your website if they have to remember a randomly generated one.