I am building an asp.net mvc web application.
Do I need to use captcha while user registration.
Because we make the user verify the email, by the standard way, like sending a link in the email and when the user clicks on the link, the email is verified.
Do you think bots can actually open an email and verify? And moreover the bots will need a new email address for every registration.
Yes, bots can create new email accounts and send and receive email from those accounts.
You don't need to use a CAPTCHA if your site is unlikely to be targetted by bots but if you are worried about an attack then a CAPTCHA is a good idea and fairly cheap to implement. You should bear in mind that it negatively affects the usability of your site and could make it difficult for some users to log in.
The "new email address" for every registration requirement isn't hard to beat (think mailinator.com) but I can't imagine a bot confirming your email, you just have to deal with sending out redundant emails and assess if that is an issue.
I think the jist of it can be summed up like this:
captchas help protect against
automated signups
email confirmation helps protect
against impersonation
Email confirmation is much easier than a good CAPTCHA for a bot to pass.
Related
Am I really that bad of a googler or is there no guides out there on how to reset a password WITHOUT simplemembership using tokenlink?
I want the anonymous user to input the mail of the account, send a mail with a link and when visiting that link the user is able to reset the password without the old password. I am not using simplemembership!
I know how to send emails and all that but I have never created a token and use it for the link in the mail etc. Are there any decent guides that could help me with this?
Side note, I'm storing all my user information in azure tablestorage.
Thanks
Stack Overflow isn't the best place to be asking overly broad "How do I do this?" questions, nor "recommend me a tutorial or guide".
(Having said that, I like the question/problem)
It should be fairly simple.
The user clicks on the "forgot password" link.
Generate a random string ("token"), such as a GUID and store it (such as in a database). Also store the time that it was generated or an expiration date.
Email the user a link to your site with the appropriate token.
The user comes back to your site. If the token exists and was done within the expiration time (15 - 30 minutes?) then give them a form to change their password.
Further reading
Resetting ASP.NET password - security issues?
Best way for a 'forgot password' implementation?
I've upgraded to Devise 3.2.1 and Rails 4.0, and I'm trying to figure out my signup now that one doesn't login on confirmation.
I allow users to create a message and specify the recipient of the message via an email address. Then I send emails notifying the recipient that they've received a message on the service. If the recipient doesn't have an account on the service, I create the account without a password, and the email I send to the recipient acts a confirmation email. With prior versions, the recipient would then click on the link, thus confirming, and then be taken to a password creation stage and then finally, they'd have a confirmed account created with password and can go see the message.
With Devise 3.1, they no longer allow login via confirmation as they consider it a security risk, however I fear it may greatly increase the complexity of my sign up process. I can no longer redirect to a password creation page as they aren't logged in. I'm toying with the idea of taking them to a special signup page or creating the account and then sending a special form of password reset.
I don't want to notify them via email, then send them a second email as a confirmation. That adds unnecessary complexity to my signup.
I wondered if anyone else has dealt with this issue and how they handled it. I'd like to avoid using:
config.allow_insecure_sign_in_after_confirmation = true
as that will go away soon and is really not the right way.
Is there a secure, yet fast way to do this with Devise 3.2?
Thanks!
I'm switching to using sorcery ( https://github.com/NoamB/sorcery ) for greater control over authentication and building my flow with that.
This is precisely the problem that devise invitable gem solves in a secure manner. I would recommend using this tool, rather than trying to hand-roll your own solution which is more likely to contain security flaws.
The gem workflow is basically:
An admin invites a new user.
The new user is created with a random password. (I actually helped write this bit!)
The user is sent an invitation email. (This is fully customisable in how it works, but has some simple default settings.)
The user receives a link, which contains a URL with a unique invitation_token.
After clicking this link, the user must choose their real password.
After some research I have implemented a solid "Forgot your password?" mechanism, and now I wanted to implement 2FA.
But now I'm thinking, what's the point of 2FA (password + email or SMS), if you can recover your account with the "Forgot your password?" mechanism, which only requires 1 factor (only email)?
Is it normal to have both or, as I'm now thinking, it's kind of pointless?
The idea behind the 2-factor authentication is, that people often use the one email addresse for all their accounts and additionally choose a weak password which they use for all their accounts.
So if someone else get access to that password on one system, this person will have access to all other accounts.
If the user has choosen a password for his email that is different to all others the situation is a little bit better. But there is still one problem that remains. If someone was able to guess that password the user would not recognize this until it is to late.
But if the mobile is lost or stolen the probability is height, that the user will request a blocking of the SIM card within a short period of time.
So you would send a confirmation code for actions of the account of the user that are uncommon or could result in loosing access to the account.
It is up to you to choose when you send a verification code. (Always on login, only on changes of account data e.g. Password, email, new mobile number or for actions that would create costs for the user)
I want to provided "Email a friend" functionality to my site. I have a ASP.MVC site and I am using GMail as our provider (google apps for business).
So, a user will press my "Email a friend" button and be asked to enter their "reply to email address" and the persons email the wish to send the email to. I then use our log in credentials to send the email. The problem is the the "reply to" address is changed to the credentials address.
So bob#home.com wants to send an email to tom#home.com. He enters the correct email addresses for both tom and himself. But when tom get the email its reply to is "sendingsite#gmail.com" which are the log in credentials.
I have done some research on this and as far as i understand this is not possible in gmail.... I believe.
My question is two fold.
Is this possible in gmail?
If not, how would i go about getting this functionality?
I know there are third party tools which do this and are free etc but we dont want to use these due to privacy issues.
Is this possible in gmail? AFAIK it is not possible to change the FROM address to anything that is not either the google apps account name for the SMTP settings or an alias of it. I believe you can change the REPLYTO address. In System.Net.Mail.MailMessage, there is a ReplyToList property. Are you setting the replyto there?
If not, how would i go about getting this functionality? Try something besides gmail / google apps for business. I have heard good things about SendGrid.
Also be careful with this. GA4B has a limit on the number of mails that can be sent in a specific time period. If you violate this, G will detect that you are abusing the service and lock the account you are sending mails from. They intend their service to be used by people, not machines, to send mail. All it takes is 1 automated attack on your send-to-friend page to disable your GA4B account, so consider a captcha or some other human-proof widget.
I'm developing an application that requires authentication with devise/rails and it was decided to allow users sign in without email confirmation. However, after a deep thinking this odd workflow came in mind:
What if someone registers with my email, starts using it and later
I decide to join the app with my stolen email? The guy did not
confirm, but should I keep his account, block it or remove it?
(side note: email must be unique)
As the designer of the application, you are in control. You can handle that situation how you would like.
I'm not sure how facebook deals with 'unconfirmed' account creations. I would imagine that they allow whoever registered to check their e-mail and click the confirmation link within a certain amount of time - after which that e-mail becomes available for use by other users. This makes sense to me, as this would prevent people from spamming the site and effectively 'e-mail blocking' legitimate users from registering. If you forever allow unconfirmed accounts to sit and 'use up' e-mails, you could run into the following situation:
A malicious user creates thousands of 'fake' account registration attempts with bogus e-mails. These e-mails sit and wait forever to be confirmed, but never will be because they don't exist (yet), acting as 'in-use' e-mails. Some time later, a legit user happens to create an e-mail account with GMail or whoever that happens to match one of the 'bogus' e-mails submitted by the malicious user earlier. This legit user is then unable to register his or her e-mail with your service because the malicious user has 'e-mail blocked' this address.
My personal opinion is to give the registrant a certain amount of time to confirm their address as legitimate, and if they never confirm within that time frame, just discard the account creation attempt.
I've a very similar problem and the solution I've arrived (not implemented yet) is to make the user choose the email he want if there is not other confirmed user with that e-mail.
Once registered the user will be uncorfimed/nonactive and will receive a confirmation e-mail, when it will follow the link it will confirm his e-mail and other can't use it anymore.
Most of these sites require you to verify your email by sending you an email link. Only afterwards can you create an account. This handily sidesteps the problem of someone trying to steal someone else's email: unless they can log into your email account, they simply cannot.
Do you have a 'resend confirmation email' action (you should) or 'password forgotten' action (you should)? With both I could reclaim the account with my email address as only I have access to my emails.
Also think about the case of the user who creates an account, forgets about it and creates another account with the same email address.