What are some suggestions for improving security in the registration process?

[cronxeh]

Well in light of recent events, it seems only prudent to add security to registration process, my suggestion are as follows:

1. Check to see if the number of current registrations is 2 standard deviations away from the average for daily number of registrations, and if it is then notify admin by sms email. The average and stdev could be calculated once every 24 hours and stored in the sql database to save computational time and add robustness to the algorithm

2. Add captcha or some sort of nonlinear image for verification purposes

3. Check each registrant's IP for anonymous proxy or whether the IP is a multiple of another registered account and deny any new registration to that IP, add option to delete all newly registered users with the same IP

 

[Greg Bernhardt]

Thanks for your suggestions cronxeh. We are actively taking steps to strengthen our registration process.

 

[╔(σ_σ)╝]

If you make it one IP per registeration you may run into problems with people using the same networks i.e.. schools. Also isp's sometime recycle ips around.

 

[Borek]

I often wonder if just changing names of fields/variables passed through GET/POST won't make most scripts fail. I don't think they always analyze full page code, most likely it is just done once manually.