#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Location
    Burb of Detroit, Michigan
    Posts
    86
    Rep Power
    76

    Confirming a new user (simple questions)


    I have a few questions regarding a person registering for my site.

    I have the php code working, but I want to make sure there are no major loop holes that I might have missed.
    Here's my confirmation page where I have $passkey generated by a random unique MD5 string. I figure my registration password is much stronger than that and all I am doing is trying to make sure the person is who they say they are. Am I wrong in thinking this way? or do I need to do something stronger?

    Here is a snippet of my confirmation page that retrieves the confirmation number from the database. I can supply more code if needed:

    PHP Code:
        $confirmed 0;
        if (isset(
    $_GET['passkey'])) {
            
    // Passkey that got from link
            
    $passkey=htmlspecialchars($_GET['passkey']);
            
            
    // Confirm the New User
            
    $confirmed get_confirmation_code($passkey);
            if (
    $confirmed == 1){
               
    set_comfirmed_code($confirmed$passkey);
               echo 
    "Congrats, You have been validated!";
            } else {
               echo 
    "I'm sorry, but I can't validate you.";
            }
        } 
    My last question is should I have some kind of CAPTCHA? I heard pros and cons over the years on this. I remember running a bbs a long time ago and creating a system similar to this, I wrote a routine where my bbs would actually call back the person's telephone number to verify them. Writing this sure has sure brought back those memories...talk about the fun I had back then.


    Thanks John
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    I don't quite understand your question. OK, you have randomly generated confirmation key. And now what? What do you mean by "my registration password is much stronger than that"?

    The key factors to security are a strong pseudo-random number generator and a good password hashing algorithm. When you talk about MD5, that already makes be doubtful.

    As to the CAPTCHA, yeah, you'll probably need it to fight off bot registrations.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Location
    Burb of Detroit, Michigan
    Posts
    86
    Rep Power
    76
    Originally Posted by Jacques1
    Hi,

    I don't quite understand your question. OK, you have randomly generated confirmation key. And now what? What do you mean by "my registration password is much stronger than that"?


    The key factors to security are a strong pseudo-random number generator and a good password hashing algorithm. When you talk about MD5, that already makes be doubtful.

    As to the CAPTCHA, yeah, you'll probably need it to fight off bot registrations.
    Maybe if I reword it I can make myself clearer (I hope), My Registration Password has a good algorithm and a strong pseudo-random number generated. It doesn't use MD5. Does the confirmation number need to be the same? (Rewording the what I mean I think I probably answered my own question and that is probably yes - I wished the internet was like a BBS where a telephone line is hardwired. ).

    Thanks for the help.
    John
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by Strider64
    My Registration Password has a good algorithm
    Which one? If it's some "special algorithm" that you need to keep secret, this would be a bad sign.



    Originally Posted by Strider64
    and a strong pseudo-random number generated.
    Which algorithm do you use?



    Originally Posted by Strider64
    Does the confirmation number need to be the same?
    You mean if the confirmation number has to be the user password? No! It mustn't be, because this would mean sending the password via e-mail (which isn't a secure channel, as we all know). It also means that the password will reside in the inbox for an indefinite time.

    The confirmation key is a separate random string not related to the password in any way. Its only purpose is allow a secure account confirmation (in order to make sure the e-mail address is correct).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    A confirmation/activation key doesn't need to be hashed at all, it just has to be random and sufficiently long. There's no benefit to hashing it besides the fact that PHP's hashing functions are a fairly simple way of converting a random string of bits into ASCII so that you can pass it through a URL.

    If the activation link automatically logs the user in, just make sure you protect against brute force guessing of activation keys though.

    CAPTCHAs are usually put on the sign up form, I haven't seen too many on an activation form.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    22
    Rep Power
    0
    Originally Posted by E-Oreo
    PHP's hashing functions are a fairly simple way of converting a random string of bits into ASCII so that you can pass it through a URL.

    If the activation link automatically logs the user in, just make sure you protect against brute force guessing of activation keys though.
    I agree. When generating the hash be sure to use something that is at least as random as mt_rand().

    That is probably sufficient for an activation link, since those typically expire after a short time anyway.

    If you want a more secure way to generate the activation string:

    Code:
    $bytes = openssl_random_pseudo_bytes(32);
    $activationString   = bin2hex($bytes);
    But on a busy site, there may be performance implications of generating 256-bit encryption grade random numbers.
  12. #7
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Location
    Burb of Detroit, Michigan
    Posts
    86
    Rep Power
    76
    I first like to say Thanks for everyone that help, it has answer a lot of my questions.

    While I'm at it, I just want to clear a few things up, I never used my password in any manner and as a matter of fact I have modified the "How to program a basic but secure login system" Tutorial that E-Oreo posted here.

    I developed a simple random number generator that I will be using for my verification code or a modified version. I know from past experience not to touch the password as much of possible. I think of it having its own file cabinet that no other variable can touch. I have been testing this on my local server and so far so good. I will not post on my web server until I'm 99 percent sure it is secure. Though nothing is really 100 percent secure.

    I know years ago running a BBS (Bulletin Board Service) that a lot of crazy things can happen and that always be on the guard for something fishy. An to expect the unexpected, you should have seen what they used to do back in the modem days. It never happen to me, but other sysops have had people make long distance calls on their bbs. What I'll do if I see anything strange is pull the system off line, I did that to my BBS a couple of times. Hopefully though if I take the measures up front that it won't happen in the first place or have very little effect.

    Anyways again thanks for the all the help and information.

IMN logo majestic logo threadwatch logo seochat tools logo