I like Nick's idea of adding salt to the hash. Otherwise, a potential hacker could create new user accounts and authenticate them without actually having an email account set up.
1. Register [EMAIL PROTECTED].
2. Get the SHA-1 hash for [EMAIL PROTECTED] (6caeb549651dd6ddd542d4726761a0bac56eaf70).
3. Submit the hash through the predefined URL for authentication.
Of course, this would be contingent on the hacker correctly identifying the authentication string but, if he stumbles across this thread, he'll have a pretty good start! =)
Doug
On 10/11/06, Nick Zadrozny <[EMAIL PROTECTED]> wrote:
On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote:
> In my case, the SHA-1 token will probably be the user's login or
> email. It just needs to be something unique.
On 10/11/06, Patrick Crowley <[EMAIL PROTECTED]> wrote:
> So, once I generate the validation token, it's almost certainly
> unique and the SHA-1 number space is large enough that it would be
> painful for bots to try hacking the validation process.
Seems to me it needs to be unique and non-trivial to guess. If I were
to try breaking such a system, I'd go through the process manually and
try hashing all the possible combinations of input I submitted to see
if I could reproduce the same hash.
So long as you can make that process reasonably non-trivial it seems
you should be good to go. If I were you I'd consider using more than
one piece of information, or adding some kind of salt. But, like I
said, I've never done new account validation before, so I'm sure
someone else will have better input :)
--
Nick Zadrozny
_______________________________________________
Sdruby mailing list
[email protected]
http://lists.sdruby.com/mailman/listinfo/sdruby
_______________________________________________ Sdruby mailing list [email protected] http://lists.sdruby.com/mailman/listinfo/sdruby
