I'm writing an ASP.NET MVC application, which uses the Membership database to store user registrations. I use email addresses as usernames. When a user registers in my app, I send out an email-confirmation to the address they have used during registration. i.e. I send out an email with a link, which the user is supposed to click, to verify that the address belongs to him.
Until that link is clicked, the account remains 'Unconfirmed' (i.e. EmailConfirmed column equals False). Which means, the account is created, just not active.
How do I deal with a hacker who brute-force creates accounts? I see two big problems here:
Ever-increasing size of the Membership database. A single user, from
a single computer is not a threat, but what if he has 'zombie'
computers?
If User1 creates account with User2#example.com email and
User2 ignores the activation email, the account will essentially
remain locked (unconfirmed), but existing. If User2 decides later to
actually create an account, they can't use their email to register
(account already exists) and they can't Reset Password either -
because even if they reset the password, that does not necessarily
Activate the account.
As for 2) I see a couple of options:
Set expiration date on unconfirmed accounts - i.e. allow the username/email to be claimed again, if the email is not confirmed with 24hrs
Modify my Reset Password method to also activate the account, if it has not been activated. Is that a good idea? I mean, the person would receive an email for that, which is essentially a confirmation, if they click the reset password link in it.
Anything else?
What about 1)? How do I protect myself against bulk create of accounts? Aside from limiting 1 account per IP, per day, using code.
One simple way to deal with this kind of problem is crude but effective.
I usually add an additional field to the form that doesn't form part of what I need - but has a legitmate sounding name like 'Company' - and then I hide it from screen view using CSS. Real user's will never see this on screen, but a bot crawling through the HTML will find it.
Then, when the form is submitted, first I check to see if that form field has a value. If it has - I stop the page from executing any further or just return an HTTP Error as in 99.9% of times only a bot would have filled out that field - not a real user.
//anti-bot measure
if (!String.IsNullOrEmpty(Company.Text))
{
HttpContext.Current.Response.StatusCode = 400;
HttpContext.Current.Response.Status = "400 Bad Request";
HttpContext.Current.Response.End();
}
//carry on processing the form...
I've been using this technique on forms for several years and it's been extremely effective!
Related
We are tracking a forgot password workflow action using adobe site catalyst. The flow happens something like below
User requests for forgot password
He provides the email address and clicks on create new password
New password generation like is send to his email address
User clicks on this link and generates a new password
First 3 actions occurs in the same browser. The 4th activity can occur in the same browser or a different browser. Because of this, site catalyst considers that user as a different one (different visitor ID) and considers that as a totally different visit. Ideally the number of users who completes activity 4 should be less than that completes 1,2,3.
But for us, we are seeing more users who completes activity 4 which could be because of this different visitor issue.
Can someone please suggest a better approach to solve this?
You might want to try overwriting the Visitor ID.
I do not know how your site works in the backend, but generally, and theoretically (as I have yet to be asked by clients on to implement this):
Extract the Visitor ID when the user provides the email address and clicks on create new password. You might want to check the appendVisitorIDsTo (Cross-Domain Tracking) function out and see how the Visitor ID query parameter is implemented.
Send the Visitor ID along with the email address to your backend controller that spits out the template forget password email.
In the template forget password email, append the extracted Visitor ID as a query parameter in the reset link.
In DTM (if you are using DTM), modify your Marketing Cloud Visitor Service tool enable this configuration: overwriteCrossDomainMCIDAndAID.
When the user clicks on this reset link, the Visitor ID should be the one that is initially created for the user.
You might want to read this answer as well.
I cant find any help around on this topic because I am being told how to implement it rather than how it actually works.
All I know is two-factor authentication is authenticating users through an email and a phone number.
Here are my set of questions :
Does it authenticate users by verifying their email and phone number at the time of registration?
Does it authenticate users by verifying their email and phone number on every login?
Why is it that every user can set two-factor authentication enabled or disabled for their account? Isn't this an admin thing which should not be decided by the user?
I'll see if I can help clarify for you.
It works as an extra level of security. Traditionally you would have a username/email and password to get into a site. If the password is compromised then so is the account. Adding a phone number to your account will mean that only someone with access to that phone can get past the extra level of security and access your data.
When the user logs in with another 'step' is added before they get through. A token (usually a number with a short expiry - i.e. seconds) is tied to the user logging in and sent to their phone. They fill in the form and submit. The device the user is logging in with (laptop/phone/desktop browser) can then be tied to their account (see point 2 below).
This can be the case but if you take Google as an example you can select to 'Trust' the device logging in for 30 days. This ties the device to a trusted list (perhaps stored in a database for instance) for a set amount of time before asking at the point of login again.
Common practice is that it is the user's choice as to whether they have this extra level of security. They may not have access to a phone...what happens then? They may like the convenience of just using a username/email and strong password....it doesn't mean to say you can't force it by design in your system though.
The idea is not to use email addresses for uniquely identifying users for a contest submission form I need to build. Since emails are not unique and google allows emails with periods in them which makes it difficult to say if email is unique or not.
My requirement is the user is able to submit 2 ballots against an entry which gives them two spots. When the user lands on the page, I ask them if they are a new user or a returning user. If they are new user I generate a unique guid on server side and give it to them. If they are returning user I ask them to enter the guid provided and then I check this on my db to make sure its there and then show them the thank you page if they have casted all 3 votes or take them back to the page where they vote on facebook or twitter.
any thoughts? I think using guids I can guarantee noone would cheat the contest unlike emails which are not truly unique.
I think this is a simple one, I want to display the authentication key during a password reset.
First, is there any problem with doing so? Is there some kind of hole I'm opening up? I control when a user is created and sent signup_instructions. I only have about 500 users. My system is one where in many cases, it is only used a few times a year, and by only one or two employees at smallish companies , average 10 employees. Some of the companies we service , rather than create multiple accounts for employees, share one or more accounts, i.e. I create it for a specific person at the company, then they share the password with their assistant(s). I use email addresses for authentication key.
Can you guess what's coming next? This really happened! User goes on vacation, young assistant needs to log in, forgot the password, but is savvy enough to click forgot password and reset it, she reads bosses emails while boss is gone. Boss returns from vacation, needs to log in, can't, but isn't savvy enough to click forgot password and didn't bother to read her emails that came in while she was gone. So she calls in a panic and pissed off, 'what's wrong, I can't log in!!!'. Many of my users are like that, older, not real computer literate.
So I need to take extra steps to idiot proof resetting passwords, which I'm thinking should include PROMINENT display of the email address they are about to reset, plus wording to remind anyone who's 'sharing' an account to inform their co-workers if they reset.
I tried this in my devise/passwords/edit
<%= resource.email %>
The above code yields nothing!
You should never expose authentication data. That's why you never send them with GET but instead with POST. Do some research: how does gmail reset passwords? Another thing to remember, once you have done all that's reasonable, a user is responsible for safeguarding his personal information. If the secretary knows everything about the boss, then that's too bad -- unless they want you to use biometric to reset passwords.
I'm developing an application that requires authentication with devise/rails and it was decided to allow users sign in without email confirmation. However, after a deep thinking this odd workflow came in mind:
What if someone registers with my email, starts using it and later
I decide to join the app with my stolen email? The guy did not
confirm, but should I keep his account, block it or remove it?
(side note: email must be unique)
As the designer of the application, you are in control. You can handle that situation how you would like.
I'm not sure how facebook deals with 'unconfirmed' account creations. I would imagine that they allow whoever registered to check their e-mail and click the confirmation link within a certain amount of time - after which that e-mail becomes available for use by other users. This makes sense to me, as this would prevent people from spamming the site and effectively 'e-mail blocking' legitimate users from registering. If you forever allow unconfirmed accounts to sit and 'use up' e-mails, you could run into the following situation:
A malicious user creates thousands of 'fake' account registration attempts with bogus e-mails. These e-mails sit and wait forever to be confirmed, but never will be because they don't exist (yet), acting as 'in-use' e-mails. Some time later, a legit user happens to create an e-mail account with GMail or whoever that happens to match one of the 'bogus' e-mails submitted by the malicious user earlier. This legit user is then unable to register his or her e-mail with your service because the malicious user has 'e-mail blocked' this address.
My personal opinion is to give the registrant a certain amount of time to confirm their address as legitimate, and if they never confirm within that time frame, just discard the account creation attempt.
I've a very similar problem and the solution I've arrived (not implemented yet) is to make the user choose the email he want if there is not other confirmed user with that e-mail.
Once registered the user will be uncorfimed/nonactive and will receive a confirmation e-mail, when it will follow the link it will confirm his e-mail and other can't use it anymore.
Most of these sites require you to verify your email by sending you an email link. Only afterwards can you create an account. This handily sidesteps the problem of someone trying to steal someone else's email: unless they can log into your email account, they simply cannot.
Do you have a 'resend confirmation email' action (you should) or 'password forgotten' action (you should)? With both I could reclaim the account with my email address as only I have access to my emails.
Also think about the case of the user who creates an account, forgets about it and creates another account with the same email address.