I am using Asp.Net Identity for generate a password reset token.
我使用Asp.Net Identity生成密码重置令牌。
string Token = userManager.GeneratePasswordResetToken(userId);
above code is giving me a token with large length. Is it possible to generate password reset token with short length?
上面的代码给了我一个很长的令牌。是否可以生成短长度的密码重置令牌?
1 个解决方案
#1
0
Your password reset token needs to be cryptographically random - that means that given a set of used tokens the next token should be impossible to guess. It also needs to cover a large enough set of possible values that brute force attempting all of them is impractically slow.
您的密码重置令牌需要以加密方式随机 - 这意味着给定一组使用过的令牌,下一个令牌应该是无法猜测的。它还需要覆盖足够大的一组可能的值,这些暴力尝试所有这些值都是不切实际的慢。
You can make changes to make the latter work with smaller sets of possible values - for instance you can add a 1s delay to the password reset page/action before checking the token. Your users will barely notice the delay on the rarely used page, but attackers will not be able to attempt lots of tokens quickly.
您可以进行更改以使后者使用较小的可能值集合 - 例如,您可以在检查令牌之前向密码重置页面/操作添加1秒延迟。您的用户几乎不会注意到很少使用的页面上的延迟,但攻击者将无法快速尝试大量令牌。
So, first you need to get a cryptographically random number:
所以,首先你需要获得一个加密随机数:
var random = new byte[8];
using (var rng = System.Security.Cryptography.RandomNumberGenerator.Create())
rng.GetBytes(random);
I've put 8 bytes here but you can make this any length you want.
我在这里放了8个字节,但你可以根据需要设置它。
Next you need to make this into a nice copy-pasteable string. You can do that with a unicode conversion but I find base 64 more reliable:
接下来,您需要将其转换为一个漂亮的可复制粘贴字符串。你可以通过unicode转换来做到这一点,但我发现base 64更可靠:
Convert.ToBase64String(random).TrimEnd('=');
Using this with 8 bytes will give you 64 bits of possible values and a 10 char string. Using 4 will give you 32 bits (probably enough with slow token checking on a low security site) and a 5 char string.
使用8个字节可以得到64位可能值和10个字符串。使用4将为您提供32位(可能在低安全性站点上进行慢速令牌检查)和5个字符串。
#1
0
Your password reset token needs to be cryptographically random - that means that given a set of used tokens the next token should be impossible to guess. It also needs to cover a large enough set of possible values that brute force attempting all of them is impractically slow.
您的密码重置令牌需要以加密方式随机 - 这意味着给定一组使用过的令牌,下一个令牌应该是无法猜测的。它还需要覆盖足够大的一组可能的值,这些暴力尝试所有这些值都是不切实际的慢。
You can make changes to make the latter work with smaller sets of possible values - for instance you can add a 1s delay to the password reset page/action before checking the token. Your users will barely notice the delay on the rarely used page, but attackers will not be able to attempt lots of tokens quickly.
您可以进行更改以使后者使用较小的可能值集合 - 例如,您可以在检查令牌之前向密码重置页面/操作添加1秒延迟。您的用户几乎不会注意到很少使用的页面上的延迟,但攻击者将无法快速尝试大量令牌。
So, first you need to get a cryptographically random number:
所以,首先你需要获得一个加密随机数:
var random = new byte[8];
using (var rng = System.Security.Cryptography.RandomNumberGenerator.Create())
rng.GetBytes(random);
I've put 8 bytes here but you can make this any length you want.
我在这里放了8个字节,但你可以根据需要设置它。
Next you need to make this into a nice copy-pasteable string. You can do that with a unicode conversion but I find base 64 more reliable:
接下来,您需要将其转换为一个漂亮的可复制粘贴字符串。你可以通过unicode转换来做到这一点,但我发现base 64更可靠:
Convert.ToBase64String(random).TrimEnd('=');
Using this with 8 bytes will give you 64 bits of possible values and a 10 char string. Using 4 will give you 32 bits (probably enough with slow token checking on a low security site) and a 5 char string.
使用8个字节可以得到64位可能值和10个字符串。使用4将为您提供32位(可能在低安全性站点上进行慢速令牌检查)和5个字符串。