When someone registers at my website, my registration script sends an “Activation Email” to the e-mail address used during registration.
The registrant get an e-mail like this…
Dear Jane Doe,
Thanks for creating a new account at www.Debbie.com
To activate your account, please click on the link below:
http://local.debbie/account/activate.php?x=0ff70b3a23cf00d0cd7936ee57feb60d
Sincerely,
Webmaster
Even though this is a very common approach, I am starting to question how secure it really is?! :-/
For example, what is stopping a hacker from trying to “brute force” the URL above and sending thousands of bogus requests, with the goal of activating Member Accounts where the actual “registrant” has not yet seen the e-mail?!
There is also the issue that a hacker could just keep sending requests trying to guess a particular registrant’s Activation Code.
Using this approach is supposed to be more secure, because the thought-process is that only the person who registered has access to his/her e-mail account, and so the Activation Email is safe.
But look at how low the bar is set with this e-mail!!!
I can see NOTHING that stops someone with too much time on his/her hands from just going to…
[U][COLOR="#0000FF"]h[B][/B]ttp://local.debbie/account/activate.php?x=[/COLOR][/U]
…and hacking away?!
I’m definitely not trying to make any additional work for myself, however, this whole “Member Account Activation Email” seems rather flaky the more I think about it…
Thoughts?
Sincerely,
Debbie