On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote:
In my case, the SHA-1 token will probably be the user's login or email. It just needs to be something unique.
On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote:
So, once I generate the validation token, it's almost certainly unique and the SHA-1 number space is large enough that it would be painful for bots to try hacking the validation process.
Seems to me it needs to be unique and non-trivial to guess. If I were to try breaking such a system, I'd go through the process manually and try hashing all the possible combinations of input I submitted to see if I could reproduce the same hash. So long as you can make that process reasonably non-trivial it seems you should be good to go. If I were you I'd consider using more than one piece of information, or adding some kind of salt. But, like I said, I've never done new account validation before, so I'm sure someone else will have better input :) -- Nick Zadrozny _______________________________________________ Sdruby mailing list [email protected] http://lists.sdruby.com/mailman/listinfo/sdruby
