我创建了一个数据库结构,其中用户获取公钥和私钥来访问信息,公钥被上传到数据库,私钥用用户密码加密,所以我让他可以访问它。实施"忘记我的密码"在此结构中,必须将电子邮件发送到Unser,后者提供使用新密码加密私钥的选项。我考虑过将所有私钥存储在其他地方,但这会危及整个安全性,因为我不希望私钥或密码存储在数据库的任何位置。所以我现在遇到的问题是我没有原始密码就无法访问私钥,那么我怎样才能让用户使用新密码重新加密它。
答案 0 :(得分:1)
You don't need the original password to add the option for the user change the password. And is very dangerous create a way to recover the original passoword of the user. If I was you, I would use some hash algorithm, like SHA-256, and store the result as the password of the user.
Well, returning for the question, one way to accomplish this password user change is create a UUID in your User table. When the user try to change his password, you redirect him to a page with this UUID in the link. This UUID works as a temporary key that permit the user change his password.
Per example.
Table: User
id | name | UUID
1 | John | f39a33c3-e7f5-455a-afad-dcf845eb04a1
When the user wants to change the password, you send a link for his e-mail:
http://yoursite.com/recover-password?UUID=f39a33c3-e7f5-455a-afad-dcf845eb04a1
So, when the user enter the new password in the page and submit the informations, you get this UUID and validate if it's really the UUID generated for the user. So, the password change can happen.
答案 1 :(得分:0)
实现此目的的最简单方法是使用当前密码解密私钥并使用新密码重新加密,然后更新数据库中的新密码。