what is the most secure random number generator function to use?

[alexandre]

i have read around and opinions seems not to be the same everywhere.. personally i have used rand() until now but i have read that it might be a predictible function for a use with random passwords for example. i would like to know what could be the best way to get a unpredictable random number.

Edited November 22, 2022 by alexandre

[Barand]

17 minutes ago, alexandre said:

what could be the best way to get a unpredictable random number.

Don't use a number. Each character in a number can be 1 of 10 choices.

If you use a string of mixed uppercase, lowercase, numbers and puctuation each character can be 1 of 90 (approx) characters.

[requinix]

rand() wasn't very good until PHP 7.1 when they made it be the same thing as mt_rand(). Is it cryptographically secure? No. Is that relevant to what 99.9% of people need it for, including you? Also no.

Create an "alphabet" of the characters you want to support in the password, which I say because omitting ones like O/0 is reasonable, then write a simple for loop that creates a password of whatever length you want by drawing from that alphabet.

Also, creating passwords like this is typically wrong.

[alexandre]

i didnt use rand() for a password but for a numeric code as for the code of the voucher, i just read about some people being able to work around and predict your next number generated by cracking the algorithm used for it. my use of this function i am searching for would be as a shorter pin randomly generated that i would ask the user to enter if they ever lose the voucher code it will make me able to easily target at their exact voucher.  my voucher system is already functioning perfectly but i wasnt sure anymore about using rand().

[alexandre]

1 hour ago, Barand said:

Don't use a number. Each character in a number can be 1 of 10 choices.

If you use a string of mixed uppercase, lowercase, numbers and puctuation each character can be 1 of 90 (approx) characters.

yess this make me think about making it required to have different charaters in their password for their accounts. the vouchers password is chosen by the creator of the voucher and can then be shared if they want to trade funds with other users this should also be required for those. thank you for the reminder 

[requinix]

1 hour ago, alexandre said:

i didnt use rand() for a password but for a numeric code as for the code of the voucher, i just read about some people being able to work around and predict your next number generated by cracking the algorithm used for it. my use of this function i am searching for would be as a shorter pin randomly generated that i would ask the user to enter if they ever lose the voucher code it will make me able to easily target at their exact voucher.  my voucher system is already functioning perfectly but i wasnt sure anymore about using rand().

It's not that simple. People can't simply look at a number X and say "oh, now the next number will by Y". What they do is generate tons and tons of X values, analyze the patterns, and then predict what the next few Ys could be.

That kind of thing is just not something most developers have to worry about. It's the realm of governments and banks.

[alexandre]

ok thank you , some places i read seemed to say people where stupid to not take that in count while developing a website.

[requinix]

47 minutes ago, alexandre said:

ok thank you , some places i read seemed to say people where stupid to not take that in count while developing a website.

Only a Sith deals in absolutes.

There's a very basic principle to consider: cost versus benefit. The issue here is whether to invest some undetermined amount of effort into making sure a theoretical attack on your voucher codes isn't possible. The cost is moderately high and the benefit, assuming we're not talking about vouchers worth thousands or millions of dollars, is negligible. It's not worth worrying about.

[alexandre]

the thing is it could become this important in the future you wont go far if you see little as they say so thats why i was trying to make things as unbreachable as possible for any eventuality.