Using getSaltBytes to generate password reset keys

Question

Using getSaltBytes to generate password reset keys

Warwick Brett Louw Jun '15

Created Jun '15	Last Reply Jun '15	Replies 1	Views 545	Votes 0

Warwick Brett Louw 3.8k

Jun '15

Hi,

I need to generate password reset links with random tokens, something like 8-20 random alphanumeric characters to append to a password reset link. Is it a good idea to use getSaltBytes() to generate these tokens?

Below is an example of what I need (I used getSaltBytes() to achieve this, the first param is the user id):

     <a href="https://site.com/account/reset/1/qPKmBOSNXTRcsVoqtvkA">link</a>

So far I have recieved some seemingly random Strings, they can vary by 1 character and seem to have no distinct pattern.

Could someone who has done something like this before offer some advice, and give me reason why this might or might not be a good idea, if so please could you offer a better solution?

I have to finish this Uni project by Monday ^^,

Andres Gutierrez · Answer 1 · 2015-06-08T09:28:01-07:00

getSaltBytes() returns the specified number of random bytes generated by the function openssl_psudo_random_bytes(). However this function, doesn't guarantee true randomness but OpenSSL will provide enough entropy to serve you good randomness. Another option you might want to explore are UUID: https://github.com/ramsey/uuid