Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,109
    Thanks
    27
    Thanked 0 Times in 0 Posts

    Question about Activation E-mail

    When a person registers on my website, I create an "activation code" like this...
    PHP Code:
        // Attempt to Create Member.
        
    if (empty($errors)){
            
    // Valid form data.

            // Create Activation Code.
            
    $activationCode md5($email uniqid(rand(), true)); 
    ...and store it in the Member record.

    Then I send the activation code to the registration e-mail and require the user to click on it to - you guessed it! - activate his/her account.


    Do I have to worry that this activation code and/or e-mail could be hacked since I am using just MD5??

    I probably chose it because I was just adapting someone else's code, and it seemed okay at the time.

    FWIW, when I store the Member's password, I do this...
    PHP Code:
        // Create Salt.
        
    $salt substr(sha1(uniqid(mt_rand(), true)), 010);

        
    // Create Hash.
        
    $hash hash_hmac('sha512'$pass $saltVINEGAR); 
    Is my code okay as is?

    Sincerely,


    Debbie

  • #2
    Regular Coder
    Join Date
    Sep 2011
    Posts
    428
    Thanks
    18
    Thanked 26 Times in 26 Posts
    Nothing can be "hacked" by getting the code, all the user could do is activate an invalid email, that's about it. To do this, they'd have to have a general idea of how you make the code. If they saw the function you used,t hey could generate a list of possible codes and then try them with trial and error.

    If you want to use something completely random, check out the generateRandom() function I created here:
    PHP Code:
    /*
    * @credit Dubz
    *
    * Generates a random string
    *
    * @param $length The length of the string to return
    * @param $lower Include lower-case characters
    * @param $upeer Include upper-case characters
    * @param $numeric Include numeric characters
    * @return A randomly generated string or false if empty
    */
    function generateRandom($length 8$lower true$upper true$numeric true)
    {
        
    $length = (String)floor($length);
        if(!
    ctype_digit($length) || $length 1)
            return 
    false;
        
    $array = array();
        
    $string '';
        if(
    $lower)
            
    $array array_merge($arrayrange('a''z'));
        if(
    $upper)
            
    $array array_merge($arrayrange('A''Z'));
        if(
    $numeric)
            
    $array array_merge($arrayrange('0''9'));
        if(empty(
    $array))
            return 
    null;
        while(
    strlen($string) < $length)
        {
            
    $string .= $array[array_rand($array)];
        }
        return 
    $string;

    I may change it later on down the road to make it more "random" (right now it generates more letters than numbers, since there's a 52:10 ratio for mixed alphanumeric). Change it how you wish if you want to, up to you. I always use this over any sha1() or md5() however, if I'm looking for randomness.

    If you want to check out the other functions I've come up with, which I always include in every one of my applications, you can do so here.

  • #3
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,344
    Thanks
    13
    Thanked 349 Times in 345 Posts
    Quote Originally Posted by doubledee View Post
    FWIW, when I store the Member's password, I do this...
    PHP Code:
        // Create Salt.
        
    $salt substr(sha1(uniqid(mt_rand(), true)), 010);

        
    // Create Hash.
        
    $hash hash_hmac('sha512'$pass $saltVINEGAR); 
    Is my code okay as is?
    it certainly is ok. nevertheless, the use of two salts is IMHO pointless. just using hash_hmac('sha512', $pass, $salt); suffices to counter rainbow table attacks (which is the reason salts were created in the first place).

    if you want to use stronger security, use bcrypt for password hashing (e.g. via PHP 5.5’s password_hash() function or the password-compat polyfill)
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,109
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dormilich View Post
    it certainly is ok. nevertheless, the use of two salts is IMHO pointless. just using hash_hmac('sha512', $pass, $salt); suffices to counter rainbow table attacks (which is the reason salts were created in the first place).

    if you want to use stronger security, use bcrypt for password hashing (e.g. via PHP 5.5’s password_hash() function or the password-compat polyfill)
    Okay, thanks for the tips!


    But back to my original question...

    Is my code sufficient for creating the Activation Code, or should I ditch the MD5 thingy?

    Sincerely,


    Debbie

  • #5
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,344
    Thanks
    13
    Thanked 349 Times in 345 Posts
    it depends on how many activation codes are "active" at the same time (well, I assume you delete them once the account was activated). you have 128 bits of total entropy minus the collision probability (don’t ask me what that is for MD5), but I guess you won’t see any of those in your system.
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer

  • #6
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,109
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dormilich View Post
    it depends on how many activation codes are "active" at the same time (well, I assume you delete them once the account was activated). you have 128 bits of total entropy minus the collision probability (don’t ask me what that is for MD5), but I guess you won’t see any of those in your system.
    Yes, once the user clicks on the link - and is redirected to my "activate.php" script, I run and UPDATE and remove the Activation Code from the database.

    So it sounds like my code is sufficient for now... (I'm trying to avoid perpetual code rewrites so I can finish up and go live!)

    Sincerely,


    Debbie

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    For hashing the password the best function to use is password_hash() which comes built into PHP 5.5 and as an add-on for PHP 5.3

    If you use that function for the password then it can automatically upgrade which hash is used in the future if a better hash becomes available. It does the update as people log in so that it is done completely invisibly.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #8
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,109
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall View Post
    For hashing the password the best function to use is password_hash() which comes built into PHP 5.5 and as an add-on for PHP 5.3

    If you use that function for the password then it can automatically upgrade which hash is used in the future if a better hash becomes available. It does the update as people log in so that it is done completely invisibly.
    Good to know, but the OP is about my code for the Activation Code...


    Debbie

  • #9
    Regular Coder
    Join Date
    Sep 2011
    Posts
    428
    Thanks
    18
    Thanked 26 Times in 26 Posts
    You guys are talking about password encryption, she's asking about creating codes to activate their account (verify your email).

    The function I supplied is more than enough to ensure randomness. I only included this to be sure user's can't "guess" their code and activate their account without access to the email.

    As for the number of active codes, if you have 10 codes or 10000 codes active, it won't matter. It should be tied to their account, otherwise how would you know who to activate? If user A has code abc123, user B has code def456, and user C gets code abc123 again (out of randomness), it won't matter because you should require the user to either input their email/login info, or contain the activation ID or user ID in the link, that way you know who you're trying to confirm and not just swinging around randomly until you hit something.

  • #10
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,109
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dubz View Post
    You guys are talking about password encryption, she's asking about creating codes to activate their account (verify your email).

    The function I supplied is more than enough to ensure randomness. I only included this to be sure user's can't "guess" their code and activate their account without access to the email.

    As for the number of active codes, if you have 10 codes or 10000 codes active, it won't matter. It should be tied to their account, otherwise how would you know who to activate? If user A has code abc123, user B has code def456, and user C gets code abc123 again (out of randomness), it won't matter because you should require the user to either input their email/login info, or contain the activation ID or user ID in the link, that way you know who you're trying to confirm and not just swinging around randomly until you hit something.
    You have a valid point.

    It sounds like what I have will work for now, and in my next version I will take into account what you have said and try to improve things.

    Thanks!

    Sincerely,


    Debbie


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •