Blog | G5 Cyber Security

Activation Email Security

G5 Cyber Security

TL;DR

Reduce information leaks in activation emails by using a unique token instead of directly embedding user data (like usernames or email addresses) in the link. This protects users if the email is intercepted.

How to Improve Activation Email Security

  1. Understand the Risk: Activation emails often contain links that, when clicked, confirm a new account. If these links include sensitive information like usernames or full email addresses, they become targets for attackers. An intercepted email could allow someone else to activate the account.
  2. Generate Unique Tokens: Instead of embedding user data directly into the activation link, create a unique, random token for each new user registration.
    • The token should be long and unpredictable (e.g., 32+ characters).
    • Store this token securely in your database, associated with the user account. Don’t store it in plain text; use a strong hashing algorithm like bcrypt or Argon2.
  3. Construct the Activation Link: The activation link should include only the unique token. 
    https://yourwebsite.com/activate?token=YOUR_UNIQUE_TOKEN
  4. Verification Process: When a user clicks the activation link:
    • Extract the token from the URL.
    • Query your database to find the user account associated with that token.
    • If found, activate the account and invalidate (delete or mark as used) the token immediately. 
      SELECT * FROM users WHERE activation_token = 'YOUR_UNIQUE_TOKEN';
    • If not found, display an error message indicating the link is invalid.
  5. Token Expiration: Add an expiration time to your tokens.
    • Tokens should become invalid after a reasonable period (e.g., 24-72 hours). This limits the window of opportunity for attackers.
    • When querying the database, check if the token has expired before activating the account. 
      SELECT * FROM users WHERE activation_token = 'YOUR_UNIQUE_TOKEN' AND expires_at > NOW();
  6. Email Content: The email should clearly state the purpose of the link and encourage users to contact support if they did not request an account.

    Avoid including any sensitive user information in the email body.

  7. Rate Limiting: Implement rate limiting on activation requests to prevent brute-force attacks. Limit the number of activation attempts from a single IP address or email address within a specific timeframe.
  8. Security Considerations for Token Generation: Use a cryptographically secure random number generator (CSPRNG) when creating tokens. Avoid predictable patterns. 
    # Python example using secrets module
import secrets
token = secrets.token_urlsafe(32)
Exit mobile version