PHP5 - Confirming a new user (simple questions)

I have a few questions regarding a person registering for my site.

I have the php code working, but I want to make sure there are no major loop holes that I might have missed.
Here's my confirmation page where I have $passkey generated by a random unique MD5 string. I figure my registration password is much stronger than that and all I am doing is trying to make sure the person is who they say they are. Am I wrong in thinking this way? or do I need to do something stronger?

Here is a snippet of my confirmation page that retrieves the confirmation number from the database. I can supply more code if needed:



My last question is should I have some kind of CAPTCHA? I heard pros and cons over the years on this. I remember running a bbs a long time ago and creating a system similar to this, I wrote a routine where my bbs would actually call back the person's telephone number to verify them. Writing this sure has sure brought back those memories...talk about the fun I had back then.


Thanks John

Hi,

I don't quite understand your question. OK, you have randomly generated confirmation key. And now what? What do you mean by "my registration password is much stronger than that"?

The key factors to security are a strong pseudo-random number generator and a good password hashing algorithm. When you talk about MD5, that already makes be doubtful.

As to the CAPTCHA, yeah, you'll probably need it to fight off bot registrations.

Maybe if I reword it I can make myself clearer (I hope), My Registration Password has a good algorithm and a strong pseudo-random number generated. It doesn't use MD5. Does the confirmation number need to be the same? (Rewording the what I mean I think I probably answered my own question and that is probably yes - I wished the internet was like a BBS where a telephone line is hardwired. ).

Thanks for the help.
John

Which one? If it's some "special algorithm" that you need to keep secret, this would be a bad sign.





Which algorithm do you use?





You mean if the confirmation number has to be the user password? No! It mustn't be, because this would mean sending the password via e-mail (which isn't a secure channel, as we all know). It also means that the password will reside in the inbox for an indefinite time.

The confirmation key is a separate random string not related to the password in any way. Its only purpose is allow a secure account confirmation (in order to make sure the e-mail address is correct).

A confirmation/activation key doesn't need to be hashed at all, it just has to be random and sufficiently long. There's no benefit to hashing it besides the fact that PHP's hashing functions are a fairly simple way of converting a random string of bits into ASCII so that you can pass it through a URL.

If the activation link automatically logs the user in, just make sure you protect against brute force guessing of activation keys though.

CAPTCHAs are usually put on the sign up form, I haven't seen too many on an activation form.

I agree. When generating the hash be sure to use something that is at least as random as mt_rand().

That is probably sufficient for an activation link, since those typically expire after a short time anyway.

If you want a more secure way to generate the activation string:



But on a busy site, there may be performance implications of generating 256-bit encryption grade random numbers.

I first like to say Thanks for everyone that help, it has answer a lot of my questions.

While I'm at it, I just want to clear a few things up, I never used my password in any manner and as a matter of fact I have modified the "How to program a basic but secure login system" Tutorial that E-Oreo posted here.

I developed a simple random number generator that I will be using for my verification code or a modified version. I know from past experience not to touch the password as much of possible. I think of it having its own file cabinet that no other variable can touch. I have been testing this on my local server and so far so good. I will not post on my web server until I'm 99 percent sure it is secure. Though nothing is really 100 percent secure.

I know years ago running a BBS (Bulletin Board Service) that a lot of crazy things can happen and that always be on the guard for something fishy. An to expect the unexpected, you should have seen what they used to do back in the modem days. It never happen to me, but other sysops have had people make long distance calls on their bbs. What I'll do if I see anything strange is pull the system off line, I did that to my BBS a couple of times. Hopefully though if I take the measures up front that it won't happen in the first place or have very little effect.

Anyways again thanks for the all the help and information.