[Answered ]-How secure should an account activation be?


Well, to answer that question you have to consider why you have protection on your account activation. Likely it is to prevent people from guessing the activation code, so they would be able to use a false email address. As email addresses are very easy to get anyway, the activation process doesn’t need to be much harder than it would take to register an email account somewhere on the web. Anything more is wasted effort, as the attacker will simply shift the attack to another weak point.

Using random strings is perfectly fine for this.

If you need more security you can consider putting a hashed account id in there, so you can count and then stop multiple failed attempts to guess the activation code.


It is a good thing to have variable length, lest it is susceptible to timing attacks.

Also, python’s inbuilt random is not really cryptographicaly safe, so it is always preferable to use sha from hashlib or the system random generated via linux which you can obtain by making a sys call.


Leave a comment