md5(microtime())

Don’t use md5(microtime()). You might think it’s more secure than md5(rand()), but it isn’t.

With a decent amount of tries and a method of syncing (like a clock on your website) one can predict the result of microtime() to the millisecond. This only leaves about a 1000 different possible return values for microtime() to be guessed. That isn’t safe.

Just stick with md5(rand()), and if you’re lucky and rand() is backed by /dev/random you won’t even need the md5(). In both cases it will be quite a lot more secure than using microtime().

3 thoughts on “md5(microtime())

  1. I agree rand is better, but if you realy wan’t to use the microtime use somthing randomley like

    $random = md5(microtime() . “confusion and fustration in modern times”);

  2. i agree with the last option. it works perfectly for me. that is md5(rand().microtime()).

Leave a Reply

Your email address will not be published.