0

What is the best algorithm to create a hash (as a verification id) for new users to verify their accounts?

MD5 seems to be the answer everywhere I look, but all the sources are at least 3 or 4 years old. I just want to make sure that MD5 is still the best option today...

I use the password_hash() function for passwords which I belive uses the Blowfish algorithm and adds a random salt, but is that necessary for a verification ID?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
  • Generally speaking if you are looking to hash something, MD5 is your baseline. For a a verification ID you may not need to use a salt, that is up to you, but you always want to run the MD5 hash a number of times that is > 1. – the_pete May 07 '14 at 14:57
  • I use `openssl_random_pseudo_bytes($length);` with `length = 16`. And need to be url encoded. – iamsleepy May 07 '14 at 14:58
  • md5 is a weaker algorithm. I generally use sha1, but for more security you can expand to any of the hashing algorithms (sha256 has been used recently in my workplace for a higher security hash) – Travis Weston May 07 '14 at 14:58

2 Answers2

1

MD5 is fine to generate a hash, if you just want to create verification tokens you can use something like:

$token = md5(uniqid(mt_rand(), true));

Don't use MD5 for passwords unless you are using a salt, and even then you should use a stronger bcrypt algorithm.

Also see Generating cryptographically secure tokens

Community
  • 1
  • 1
fire
  • 21,383
  • 17
  • 79
  • 114
1

For this purpose, MD5 is just an 'encoding'. As long as the source value that you run the MD5 on is properly random, it can be safely used.

Any random (with a proper algorithm) 128 bit value will do file (either an GUID (as long as it is v4) or just base64 encoded crypto-random byte array, or MD5 on the same array).

You just have to make sure that it cannot be guessed. So mostly you would want to add some sort of invalid-token counter by IP address that blocks the access after certain number of times.

Also you would probably want to add some sort of expiration (like valid for 24 hours) for the code for the same reason.

Knaģis
  • 20,827
  • 7
  • 66
  • 80