Wednesday, February 18 2009

Yep, that ought to be secure!

Web site account activation system:

  1. Ask new user for name, email address, password
  2. Send confirmation email containing:
    • carefully randomized confirmation URL
    • name
    • email address
    • password (helpfully converted to lowercase for ease of use)
  3. Provide no method of changing email address or password

(site name omitted because no one has any reason to give them a credit card anyway)