Reputation: 23290
How to prevent collisions when generating registration activation keys?
I'm working on a big project's registration system.
After successful signup, the server generates some activation key, adds it to user's row and sends it to user by email. Using some password generator class for this purpose.
The question is (I know that it sounds abstract but I just wonder), how to avoid duplicate pass generation? I mean, is there any chance that in future generator can create the activation key that already exists in db table? Should I check for duplication after key generation?
Upvotes: 3
Views: 968
Answers (5)
Reputation: 71
Use GUID as your registration key, as it is always unique and generated by system
Upvotes: 0
Reputation: 562651
I would recommend using the Text_Password package from PEAR. Don't try to reinvent this wheel.
Don't force passwords to be strictly unique. It's actually less secure to have that enforcement. Consider that if I try to set my password to xyzzy and the site tells me I can't, that means now I know some account is using xyzzy as a password. I just have to try that password on all accounts until I find which one.
Don't use a hash digest as a generated password. Your users don't want to type in a hex string of 32 character (or longer). I have had the experience of coding a secure software activation key package in 2001, using PKI and MD5 hashes. But no one would use it because the keys were too long.
Do use a hash digest and salt to store passwords. Read this article by our fearless leader: You're Probably Storing Passwords Incorrectly.
See also my answers to a few other password-related questions:
- How to generate random password, or temporary URL, for resetting password in Zend Framework?
- PHP & MySQL compare password
- What data type to use for hashed password field and what length?
- How large should my password salt be?
Upvotes: 3
Reputation: 10518
Using a hash algorithm like SHA or Whirlpool with a unique input (like the users' unique username) will result in a hash that has an expected collision rate of 0.
I wouldn't roll my own algorithm for this. uniqid() or md5(), as mentioned, are guaranteed solutions.
Upvotes: 1
Reputation: 4530
You could use the time, but it won't be "random" you'd have to add some randomness to it...
$key = md5(time());
Upvotes: 0
Related Questions
- How to generate unique secure random string in PHP?
- Generate save activation key as product key
- What is the best way to generate a random key within PHP?
- Generating a Random Alphanumeric String When Registering User Account
- Is rand() secure to creating an activation number in PHP
- easiest way to generate an unique and random key
- Create keys randomly with PHP
- Calculate two random numbers for preventing spamming of register members in PHP
- PHP - Create random hash string for email closed loop verification
- random key generator with validity check