tags:

views:

74

answers:

2
+5  Q: 

Is MD5 a good way to generate account verification code

When users register an account they get an email with a verification code that they can click to verify their accounts.

This is how I generate the verification code.

md5(rand(0,1000)

Is using the method below a bad choice? It generates a random number between 0-1000. Since there are only 1000 options, and their MD5 hashes are known, it should take an attacker just a 1000 trials to verify the account without it really belonging to them

+4  A: 

Just seed it with something the attacker could not know:

md5(rand(0,1000).'helloworld234');

There is no limit at how crasy you could go

md5(md5(time().'helloguys'.rand(0,9999)));

Way too much but you get the idea.

Iznogood  2010-09-09 02:19:45
the more entropy, the better. I'd put at least the user ID or email of the person registering, along with the time to the greatest precision possible.
John Gaughan  2010-09-09 02:27:25
@John Well i taught of suggesting some seed generated from the spin of an atom but you know the cost and all that.
Iznogood  2010-09-09 02:30:51
rand() is horrible and should never be used for security, mt_rand() is better. Also the attacker knows time(), he is the one creating the account.
Rook  2010-09-09 04:30:24
+3  A: 

This thread http://stackoverflow.com/questions/46231/how-to-generate-a-verification-code-number has some good thoughts on the matter. Hashes, reversible hashes, check-digits... plenty of options depending on your needs.

J. Farray  2010-09-09 02:25:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases