By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,627 Members | 2,244 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,627 IT Pros & Developers. It's quick & easy.

Create Secure Account Activation

P: n/a
I'm looking for some best practices when it comes time to allowing a user to
create an account for our web app.

For example, a potential customer of ours would fill out an application and
then an email would be sent w/further instructions on how to activate and
login to their account. What's the best way to accomplish this? Should our
system create a unique password for them (initially) and then require them to
create their own? I need a solution that is secure with almost no chance
of someone attempting to impersonate.
Jul 24 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a

Eric wrote:
I'm looking for some best practices when it comes time to allowing a user to
create an account for our web app.

For example, a potential customer of ours would fill out an application and
then an email would be sent w/further instructions on how to activate and
login to their account. What's the best way to accomplish this? Should our
system create a unique password for them (initially) and then require them to
create their own? I need a solution that is secure with almost no chance
of someone attempting to impersonate.
The only way to so that is to ask users to visit your offices and
personally stand over them while they fill in your form, having checked
their driving licence, passport, irises, references and DNA.

Seriously, though - I can't see much difference between your solution
and allowing users to submit their own password, especially since you
are inviting them to do so anyway. In fact, I would suggest that your
method is LESS seure, in that you will be providing a password by
email, which a lot of people won't change and will keep a copy in their
mailbox. Therre is much less likelihood of persitent records of
passwords lying around if people are asked to provide one at
registration.

For ideas on best practice, have a trawl round the mega-ecommerce sites
like Amazon, Ebay etc. See how they do it.

--
Mike Brind

Jul 24 '06 #2

P: n/a
The system created password (in combiantion with some other piece of data)
would only enable them to then create their own and would not otherwise allow
them access to their account. I'm thinking it would be one more way to
authenticate them before activation. Having them retain it and try to use it
later would prove fruitless.

"Mike Brind" wrote:
>
Eric wrote:
I'm looking for some best practices when it comes time to allowing a user to
create an account for our web app.

For example, a potential customer of ours would fill out an application and
then an email would be sent w/further instructions on how to activate and
login to their account. What's the best way to accomplish this? Should our
system create a unique password for them (initially) and then require them to
create their own? I need a solution that is secure with almost no chance
of someone attempting to impersonate.

The only way to so that is to ask users to visit your offices and
personally stand over them while they fill in your form, having checked
their driving licence, passport, irises, references and DNA.

Seriously, though - I can't see much difference between your solution
and allowing users to submit their own password, especially since you
are inviting them to do so anyway. In fact, I would suggest that your
method is LESS seure, in that you will be providing a password by
email, which a lot of people won't change and will keep a copy in their
mailbox. Therre is much less likelihood of persitent records of
passwords lying around if people are asked to provide one at
registration.

For ideas on best practice, have a trawl round the mega-ecommerce sites
like Amazon, Ebay etc. See how they do it.

--
Mike Brind

Jul 24 '06 #3

P: n/a
making them change their password on their 1st login or something like that
might help too

check out the free version of aspprotect for some ideas.. they also have a
password expiration mod thingie too that you might want to look at
www.aspprotect.com

also, search aspin.com for ideas

"Eric" <Er**@discussions.microsoft.comwrote in message
news:06**********************************@microsof t.com...
The system created password (in combiantion with some other piece of data)
would only enable them to then create their own and would not otherwise
allow
them access to their account. I'm thinking it would be one more way to
authenticate them before activation. Having them retain it and try to use
it
later would prove fruitless.

"Mike Brind" wrote:
>>
Eric wrote:
I'm looking for some best practices when it comes time to allowing a
user to
create an account for our web app.

For example, a potential customer of ours would fill out an application
and
then an email would be sent w/further instructions on how to activate
and
login to their account. What's the best way to accomplish this?
Should our
system create a unique password for them (initially) and then require
them to
create their own? I need a solution that is secure with almost no
chance
of someone attempting to impersonate.

The only way to so that is to ask users to visit your offices and
personally stand over them while they fill in your form, having checked
their driving licence, passport, irises, references and DNA.

Seriously, though - I can't see much difference between your solution
and allowing users to submit their own password, especially since you
are inviting them to do so anyway. In fact, I would suggest that your
method is LESS seure, in that you will be providing a password by
email, which a lot of people won't change and will keep a copy in their
mailbox. Therre is much less likelihood of persitent records of
passwords lying around if people are asked to provide one at
registration.

For ideas on best practice, have a trawl round the mega-ecommerce sites
like Amazon, Ebay etc. See how they do it.

--
Mike Brind


Jul 25 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.