Create Secure Account Activation

E

Eric

I'm looking for some best practices when it comes time to allowing a user to
create an account for our web app.

For example, a potential customer of ours would fill out an application and
then an email would be sent w/further instructions on how to activate and
login to their account. What's the best way to accomplish this? Should our
system create a unique password for them (initially) and then require them to
create their own? I need a solution that is secure with almost no chance
of someone attempting to impersonate.
 
M

Mike Brind

Eric said:
I'm looking for some best practices when it comes time to allowing a user to
create an account for our web app.

For example, a potential customer of ours would fill out an application and
then an email would be sent w/further instructions on how to activate and
login to their account. What's the best way to accomplish this? Should our
system create a unique password for them (initially) and then require them to
create their own? I need a solution that is secure with almost no chance
of someone attempting to impersonate.
Click to expand...

The only way to so that is to ask users to visit your offices and
personally stand over them while they fill in your form, having checked
their driving licence, passport, irises, references and DNA.

Seriously, though - I can't see much difference between your solution
and allowing users to submit their own password, especially since you
are inviting them to do so anyway. In fact, I would suggest that your
method is LESS seure, in that you will be providing a password by
email, which a lot of people won't change and will keep a copy in their
mailbox. Therre is much less likelihood of persitent records of
passwords lying around if people are asked to provide one at
registration.

For ideas on best practice, have a trawl round the mega-ecommerce sites
like Amazon, Ebay etc. See how they do it.
 
E

Eric

The system created password (in combiantion with some other piece of data)
would only enable them to then create their own and would not otherwise allow
them access to their account. I'm thinking it would be one more way to
authenticate them before activation. Having them retain it and try to use it
later would prove fruitless.
 
K

Kyle Peterson

making them change their password on their 1st login or something like that
might help too

check out the free version of aspprotect for some ideas.. they also have a
password expiration mod thingie too that you might want to look at
www.aspprotect.com

also, search aspin.com for ideas
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Secure solution to backup IMAP to PST format in 2024 4
Seeking co-founders for my company. 3
Creating an activation link for an account 2
Account activation via email 9
URGENT 1
Can anyone code this for me ? 1
The CERT Oracle Secure Coding Standard for Java 12
I'm tempted to quit out of frustration 1

Members online

Total: 206 (members: 1, guests: 205)
Robots: 83

Forum statistics

Threads
474,262
Messages
2,571,059
Members
48,769
Latest member
Clifft

Latest Threads

Top