处理忘记密码/密码重置最安全的方法是什么?我应该通过电子邮件将密码发送给用户吗?如果是这样，你会强迫他们重置它吗?还是让他们立即重置(不发送电子邮件)并要求其他信息来验证是他们?还是有更好的方法?

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?

推荐答案

您不能通过电子邮件将密码发送给用户，因为您不知道.您已经通过