You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Tauren Mills <ta...@tauren.com> on 2009/09/18 03:19:59 UTC

New account activation link advice

This might be a little off-topic, but I figured shiro users would have
experience or opinions on this.

I'm looking for advice on creating an activation link that is emailed to a
new user of a web site. In a previous small project I created a string like
the following and then used a Base64 hash on it:

username:datecreated:emailaddress:expiredate

When a link with the hash is clicked, the values would be extracted and used
to look up the account, verify that the date created and email address
match, and that the current date is before the expire date.  If this all
matches, then the account would be activated.

However, this isn't terribly secure.  Anyone have advice on a better way to
do this? Does shiro provide any encryption/decryption features that I could
use to make it stronger? Are there recommended encryption tools I should be
using for this?

Lastly, I also need a forgot/reset password link for my current project and
want to make it more secure as well.

Thanks,
Tauren

Re: New account activation link advice

Posted by Kalle Korhonen <ka...@gmail.com>.

On Thu, Sep 17, 2009 at 10:42 PM, Tauren Mills <yo...@gmail.com> wrote:
> Thanks for the reply. So do you require that they re-enter the password to
> validate the account? Or just the fact that the password hash matches is
> good enough? Do you send these two things in the clear as query params, or

I don't typically require anything else - obviously you could if you
needed the extra security.

> do you URLencode them together?

I've done both ways, in clear and lightly encoded together. But I
mostly rely on these two things for security: account can only be
activated if it's in locked state and that the link expires quickly.

Kalle


> On Thu, Sep 17, 2009 at 6:34 PM, Kalle Korhonen <ka...@gmail.com>
> wrote:
>>
>> I simply send the password hash in the activation/password reset
>> emails (I use the same mechanism for both) together with the email
>> address/username. If account is locked and expired, user is allowed to
>> activate it and is forced to choose a new password, after which I set
>> the account back to enabled. Additionally, I set an expiration date -
>> for activation cases it's obviously a fairly short period (e.g. 24h)
>> but can be used to expire a regular password as well.
>>
>> Kalle
>>
>>
>> On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <ta...@tauren.com> wrote:
>> > This might be a little off-topic, but I figured shiro users would have
>> > experience or opinions on this.
>> >
>> > I'm looking for advice on creating an activation link that is emailed to
>> > a
>> > new user of a web site. In a previous small project I created a string
>> > like
>> > the following and then used a Base64 hash on it:
>> >
>> > username:datecreated:emailaddress:expiredate
>> >
>> > When a link with the hash is clicked, the values would be extracted and
>> > used
>> > to look up the account, verify that the date created and email address
>> > match, and that the current date is before the expire date.  If this all
>> > matches, then the account would be activated.
>> >
>> > However, this isn't terribly secure.  Anyone have advice on a better way
>> > to
>> > do this? Does shiro provide any encryption/decryption features that I
>> > could
>> > use to make it stronger? Are there recommended encryption tools I should
>> > be
>> > using for this?
>> >
>> > Lastly, I also need a forgot/reset password link for my current project
>> > and
>> > want to make it more secure as well.
>> >
>> > Thanks,
>> > Tauren
>> >
>> >
>
>

Re: New account activation link advice

Posted by Tauren Mills <yo...@gmail.com>.

Kalle,

Thanks for the reply. So do you require that they re-enter the password to
validate the account? Or just the fact that the password hash matches is
good enough? Do you send these two things in the clear as query params, or
do you URLencode them together?

Tauren

On Thu, Sep 17, 2009 at 6:34 PM, Kalle Korhonen
<ka...@gmail.com>wrote:

> I simply send the password hash in the activation/password reset
> emails (I use the same mechanism for both) together with the email
> address/username. If account is locked and expired, user is allowed to
> activate it and is forced to choose a new password, after which I set
> the account back to enabled. Additionally, I set an expiration date -
> for activation cases it's obviously a fairly short period (e.g. 24h)
> but can be used to expire a regular password as well.
>
> Kalle
>
>
> On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <ta...@tauren.com> wrote:
> > This might be a little off-topic, but I figured shiro users would have
> > experience or opinions on this.
> >
> > I'm looking for advice on creating an activation link that is emailed to
> a
> > new user of a web site. In a previous small project I created a string
> like
> > the following and then used a Base64 hash on it:
> >
> > username:datecreated:emailaddress:expiredate
> >
> > When a link with the hash is clicked, the values would be extracted and
> used
> > to look up the account, verify that the date created and email address
> > match, and that the current date is before the expire date.  If this all
> > matches, then the account would be activated.
> >
> > However, this isn't terribly secure.  Anyone have advice on a better way
> to
> > do this? Does shiro provide any encryption/decryption features that I
> could
> > use to make it stronger? Are there recommended encryption tools I should
> be
> > using for this?
> >
> > Lastly, I also need a forgot/reset password link for my current project
> and
> > want to make it more secure as well.
> >
> > Thanks,
> > Tauren
> >
> >
>

Re: New account activation link advice

Posted by Kalle Korhonen <ka...@gmail.com>.

I simply send the password hash in the activation/password reset
emails (I use the same mechanism for both) together with the email
address/username. If account is locked and expired, user is allowed to
activate it and is forced to choose a new password, after which I set
the account back to enabled. Additionally, I set an expiration date -
for activation cases it's obviously a fairly short period (e.g. 24h)
but can be used to expire a regular password as well.

Kalle


On Thu, Sep 17, 2009 at 6:19 PM, Tauren Mills <ta...@tauren.com> wrote:
> This might be a little off-topic, but I figured shiro users would have
> experience or opinions on this.
>
> I'm looking for advice on creating an activation link that is emailed to a
> new user of a web site. In a previous small project I created a string like
> the following and then used a Base64 hash on it:
>
> username:datecreated:emailaddress:expiredate
>
> When a link with the hash is clicked, the values would be extracted and used
> to look up the account, verify that the date created and email address
> match, and that the current date is before the expire date.  If this all
> matches, then the account would be activated.
>
> However, this isn't terribly secure.  Anyone have advice on a better way to
> do this? Does shiro provide any encryption/decryption features that I could
> use to make it stronger? Are there recommended encryption tools I should be
> using for this?
>
> Lastly, I also need a forgot/reset password link for my current project and
> want to make it more secure as well.
>
> Thanks,
> Tauren
>
>