1

Currently i wrote an e-mail verification code that sends a link that has user's GUID as his verification code. I don't think that this is safe, so i want to hear from you, what are the best and easiest methods of creating a verification code?

The easiest-easiest way i think is to create some kind of hash and put it in the database, and when user clicks on his link, it compares link value with hash in my database. But why would i need a single column in my database that is used only once? That's a waste of space.

Erik Philips
  • 48,663
  • 7
  • 112
  • 142
ojek
  • 8,047
  • 16
  • 65
  • 106
  • Why do you think the user's GUID is not a secure approach? It should be close to truly random and un-guessable... – Jon Malcolm Jan 02 '13 at 19:38
  • To be honest, i have no idea why GUID in verification link is a bad practice, but i feel inside me, that i shouldn't use it that way. ;-) – ojek Jan 02 '13 at 19:41
  • 1
    @Jon - I would disagree. Having a user's GUID in plain text would be a fair security risk and definitely not a best practice. Opens the possibilities for user impersonation, etc. – CAbbott Jan 02 '13 at 19:43
  • Well you could salt the GUID with something static, and then hash the result. That way you have nothing extra in the database. – Brian White Jan 02 '13 at 20:57

2 Answers2

3

Typically you create a random value (Guid is fine for this) that is a reset password code. The code should expire and should only be able to be used once. You don't want someone reading someone old mail that contains a password reset and being able to reset the code (because the code would always be the same using the UserID Guid).

Take a look at The definitive guide to forms based website authentication here on SO, it has a lot of useful information.

Community
  • 1
  • 1
Erik Philips
  • 48,663
  • 7
  • 112
  • 142
2

I would say that you could do simple symmetric encryption on the user's GUID (possibly with a SALT) and then simply decrypt the user's GUID as verification.

CAbbott
  • 7,998
  • 4
  • 29
  • 38
  • Yes. I was looking at this approach before i created this thread, and it looks about what i need. But i doesn't totally understand that whole encrypting thing. The problem is, that to encrypt something you need a "password". Where do i keep this password? Am i supposed to hardcode it? – ojek Jan 02 '13 at 19:45
  • There are several places where your symmetric key could be held: database, web.config or even code. Usually it can be held right within your web.config. – CAbbott Jan 02 '13 at 19:47
  • 1
    Storing the Salt in the Database and the Key in the Web.config is a very good solution as someone would have to both have your web.config and your database values to figure out the reset code. – Erik Philips Jan 02 '13 at 19:49