what is the most secure random number generator function to use?

Recommended Posts

i have read around and opinions seems not to be the same everywhere.. personally i have used rand() until now but i have read that it might be a predictible function for a use with random passwords for example. i would like to know what could be the best way to get a unpredictable random number.

Edited by alexandre
Share on other sites

17 minutes ago, alexandre said:

what could be the best way to get a unpredictable random number.

Don't use a number. Each character in a number can be 1 of 10 choices.

If you use a string of mixed uppercase, lowercase, numbers and puctuation each character can be 1 of 90 (approx) characters.

Share on other sites

rand() wasn't very good until PHP 7.1 when they made it be the same thing as mt_rand(). Is it cryptographically secure? No. Is that relevant to what 99.9% of people need it for, including you? Also no.

Create an "alphabet" of the characters you want to support in the password, which I say because omitting ones like O/0 is reasonable, then write a simple for loop that creates a password of whatever length you want by drawing from that alphabet.

Also, creating passwords like this is typically wrong.

Share on other sites

i didnt use rand() for a password but for a numeric code as for the code of the voucher, i just read about some people being able to work around and predict your next number generated by cracking the algorithm used for it. my use of this function i am searching for would be as a shorter pin randomly generated that i would ask the user to enter if they ever lose the voucher code it will make me able to easily target at their exact voucher.  my voucher system is already functioning perfectly but i wasnt sure anymore about using rand().

Share on other sites

1 hour ago, Barand said:

Don't use a number. Each character in a number can be 1 of 10 choices.

If you use a string of mixed uppercase, lowercase, numbers and puctuation each character can be 1 of 90 (approx) characters.

yess this make me think about making it required to have different charaters in their password for their accounts. the vouchers password is chosen by the creator of the voucher and can then be shared if they want to trade funds with other users this should also be required for those. thank you for the reminder

Share on other sites

1 hour ago, alexandre said:

i didnt use rand() for a password but for a numeric code as for the code of the voucher, i just read about some people being able to work around and predict your next number generated by cracking the algorithm used for it. my use of this function i am searching for would be as a shorter pin randomly generated that i would ask the user to enter if they ever lose the voucher code it will make me able to easily target at their exact voucher.  my voucher system is already functioning perfectly but i wasnt sure anymore about using rand().

It's not that simple. People can't simply look at a number X and say "oh, now the next number will by Y". What they do is generate tons and tons of X values, analyze the patterns, and then predict what the next few Ys could be.

That kind of thing is just not something most developers have to worry about. It's the realm of governments and banks.

Share on other sites

ok thank you , some places i read seemed to say people where stupid to not take that in count while developing a website.

Share on other sites

47 minutes ago, alexandre said:

ok thank you , some places i read seemed to say people where stupid to not take that in count while developing a website.

Only a Sith deals in absolutes.

There's a very basic principle to consider: cost versus benefit. The issue here is whether to invest some undetermined amount of effort into making sure a theoretical attack on your voucher codes isn't possible. The cost is moderately high and the benefit, assuming we're not talking about vouchers worth thousands or millions of dollars, is negligible. It's not worth worrying about.

Share on other sites

the thing is it could become this important in the future you wont go far if you see little as they say so thats why i was trying to make things as unbreachable as possible for any eventuality.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

×   Pasted as rich text.   Restore formatting

Only 75 emoji are allowed.