0

After a client buys a serial key, he receives an e-mail containing a key. With that token key he can access a page where he can see the serial he wanted. I wonder how I can do this being safe to brute force attacks?

I thought that an idea is to have at least 12 characters long alpha-number sensitive strings. To be faster, in the e-mail they have the string attached to a link ex:

www.foo.com/get_serial.php?token=23As4s74dsFDs412s

To improve security I thought it would be a good idea to have a captcha verification but with logical answers like: "A man has twenty : (fingers)" or something. I need suggestions to make this safe and fast as possible.

Alex7
  • 540
  • 3
  • 17
  • 2
    Why don't you just email the serial codes? – Halcyon May 16 '14 at 14:34
  • 3
    Men have 20 fingers where you live? – Mattt May 16 '14 at 14:36
  • I can't do this i am blocked by one of my providers. – Alex7 May 16 '14 at 14:36
  • 2
    Then how are you sending the email with the link? – Mattt May 16 '14 at 14:36
  • Because they need to see the serial on a page with an specififed format which can't be displayed on email. – Alex7 May 16 '14 at 14:38
  • I thought about this too before, believe me, this is the only way, as i said in the initial post. Please tell me if you need any further info. – Alex7 May 16 '14 at 14:40
  • how can you receive a usb hardware device by email ? – Alex7 May 16 '14 at 14:46
  • It was just your wording that was unclear, I've improved it now. You could allow IP addresses one attempt every few seconds, and ask them to try later if too many attempts are detected. That will balance out multiple users legitimately using proxies whilst slowing down people attempting brute force attacks. – halfer May 16 '14 at 15:03
  • ok, thanks. so i shouldn't need anymore the captcha script. Is there any difference between www.foo.com/get_serial.php?token=23As4s74dsFDs412s and www.foo.com/get_serial.php where he must copy paste the key ? – Alex7 May 16 '14 at 15:09
  • Not really. If the key has much value, you could consider serving that through SSL - although of course if it has gone out via email it's already theoretically compromised. – halfer May 16 '14 at 15:20
  • i have ssl already. the most of people just use simple yahoo or google adresses so should be fine. Thanks – Alex7 May 16 '14 at 15:50

0 Answers0