"Aaron [SQL Server MVP]" wrote in message
news:u3**************@TK2MSFTNGP15.phx.gbl...
:> BTW... just asking but is this your alternative, a bizarre increment?
:
: No, actually, I am not sure the user ever has to know the surrogate and
: meaningless key you've applied to identify their account. Whether they
use
: ?somePage=367 or
:
?somePage=big_long_stupid_string_here_that_WILL_wr ap_in_some_clients_no_matt
: er_how_much_you_tested_it, they still have to map that to the e-mail
address
: that specific identifier was sent to.
:
: You asked if it was a good idea, I think I've pointed out a couple of
issues
: with it, you're going to ignore those, so go ahead, use GUID, it must be a
: fabulous idea. *sigh*
And those were excellent points too. (O:=
You shouldn't take this personal. I respect your opinion(s). I may not
always agree but getting opinions of others helps me to make a decision and
generally provides knowledge of something I may not have considered. You
have valid points. I also never said I was going to ignore them. And, I
don't particularly like the GUID idea although I do use it to eliminate SPAM
(another discussion).
The email address is not relevant here because it is not the sending to the
user I am concerned with, in this discussion, but rather the attempt to
visit the link with a valid account and then attempt to brute force the
password. My goal was to make it difficult before they ever got to attempt
attacking the password.
I also stated in my last post, I would consider using my password creation
routine. A randomly sized alphanumeric case-sensitive account code might be
a strong enough defense, at least for the account code.
Perhaps I should explain what this is for...
The account is for subscriptions for fuel surcharges in my shopping cart.
Without the subscription, merchants will have to keep track of this
themselves to avoid losing money re: shipping should the price rise. With a
subscription, which will require the account code/password and known link,
the merchant will "Set it and forget it." Annual renewals will require a
logon, so only during the initial setup and renewal will this issue present
itself. Surely people will be able to copy/paste at a minimum once a year.
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library -
http://msdn.microsoft.com/library/default.asp