Is a random string good verification code

Question

Is a random string good verification code

I am creating a verification code that will be used to activate the account. You must have seen such things before.

My question is: if I were to generate this code using a complex formula:

md5(md5(time().'helloguys'.rand(0,9999)));

Is this really better than generating only a random string of 32 characters and numbers like gj3dI3OGwo5Enf... ?

+7

security php registration account

dave Sep 09 '10 at 3:31

source share

2 answers

Agree with erickson, just can advise you to use

 pwgen -1 -s

command on * nix, which will do better any procedure you can think of.

If you want to generate some string programmatically, you can take a look at

 <?php $better_token = md5(uniqid(rand(),1)); ?>

this gives a very good level of randomness and before collisions.

If you need an even higher level of security, you can consider generating random sequences at http://www.random.org/

+1

Igor Sep 09 '10 at 4:28

source share

erickson · Accepted Answer · 2010-09-09T03:34:51+0000

No, using a hash is no better. It would be safer (less predictable) to choose 32 random characters. (Numbers are symbols.) Use a good ("cryptographic") random number generator with a good seed (some bytes from / dev / random). Do not use time as a seed.

Is a random string good verification code

More articles: