rails - Creating a Secure ID / Password

I'm looking for a RAIL way to create a very secure UID that will act as a authentication token.

I had be开发者_运维技巧en using UUID but was told they are not secure. I'd like to learn, what is the method of choice these days in ruby/rails 3?

This question is in no way Rails specific.

UUID is not secure for the simple fact that it is a unique identifier and it contains 'constant' parts of a given machine (e.g. it might use the MAC address for a machine), which makes it easier to guess.

If you want 100k+ strings without someone guessing one, you need to be able to distribute your keys across a large key-space. Let me explain:

If you only need 1 key (let's), you might pick 'A'. In a key-space of A-Z you have 1:26 chance of guessing it. Now, if you'd extend your key-space to A-Za-z you have a 1:52 chance of guessing.

Need more security still? Use a longer key: 'AA' 1:2704 chance.

Now, if you'd want to have 2000 keys and use a key length of 2 (e.g. 'AA'), there's a 2000:2704 => 1:1.352 chance someone might guess it. Pretty bad.

So, the key here is to pick a very long key size. With Digest::SHA1 you get 40-character keys (using Hex, with 16 different values per character). That's 1.46150164e48 unique values. Your 100k values should be random enough.

Edit:

With 40-digit HEX SHA1 values you have a 1:461501640000000000000000000000000000000000000000000 chance of guessing one. That takes ages.