When users register an account they get an email with a verification code that they can click to verify their accounts.
This is how I generate the verification code.
md5(rand(0,1000)
Is using the method below a bad choice? It generates a random number between 0-1000. Since there are only 1000 options, and their MD5 hashes are known, it should take an attacker just a 1000 trials to verify the account without it really belonging to them