views:

74

answers:

2

When users register an account they get an email with a verification code that they can click to verify their accounts.

This is how I generate the verification code.

md5(rand(0,1000)

Is using the method below a bad choice? It generates a random number between 0-1000. Since there are only 1000 options, and their MD5 hashes are known, it should take an attacker just a 1000 trials to verify the account without it really belonging to them

+4  A: 

Just seed it with something the attacker could not know:

md5(rand(0,1000).'helloworld234');

There is no limit at how crasy you could go

md5(md5(time().'helloguys'.rand(0,9999)));

Way too much but you get the idea.

Iznogood
the more entropy, the better. I'd put at least the user ID or email of the person registering, along with the time to the greatest precision possible.
John Gaughan
@John Well i taught of suggesting some seed generated from the spin of an atom but you know the cost and all that.
Iznogood
rand() is horrible and should never be used for security, mt_rand() is better. Also the attacker knows time(), he is the one creating the account.
Rook
+3  A: 

This thread http://stackoverflow.com/questions/46231/how-to-generate-a-verification-code-number has some good thoughts on the matter. Hashes, reversible hashes, check-digits... plenty of options depending on your needs.

J. Farray