Is a random string a good verification code
I'm generating a verification code to be used for account activation. You've probably seen this sort of thing before.
My question: if I were to genera开发者_StackOverflow社区te this code with a complex formula like this:
md5(md5(time().'helloguys'.rand(0,9999)));
Is it really any better than generating just a random string of 32 characters and numbers like gj3dI3OGwo5Enf...
?
No, using the hash is not better. It would be more secure (less predictable) to pick 32 random characters. (Digits are characters.) Use a good ("cryptographic") random number generator, with a good seed (some bytes from /dev/random). Don't use time as a seed.
Agree with erickson, just may advise you to use
pwgen -1 -s
command on *nix which will the job muich better of any procedure you may invent.
If you want to generate some string programmatically you may take a look at
<?php
$better_token = md5(uniqid(rand(),1));
?>
this gives very good level of randomness and prior to collisions.
If you need even higher level of security you may consider to generate random sequences on http://www.random.org/
精彩评论