What is a good PHP hashing algorithm for account verification by email?

Question

What is the best algorithm to create a hash (as a verification id) for new users to verify their accounts?

MD5 seems to be the answer everywhere I look, but all the sources are at least 3 or 4 years old. I just want to make sure that MD5 is still the best option today...

I use the password_hash() function for passwords which I belive uses the Blowfish algorithm and adds a random salt, but is that necessary for a verification ID?

Answer 1

For this purpose, MD5 is just an 'encoding'. As long as the source value that you run the MD5 on is properly random, it can be safely used.

Any random (with a proper algorithm) 128 bit value will do file (either an GUID (as long as it is v4) or just base64 encoded crypto-random byte array, or MD5 on the same array).

You just have to make sure that it cannot be guessed. So mostly you would want to add some sort of invalid-token counter by IP address that blocks the access after certain number of times.

Also you would probably want to add some sort of expiration (like valid for 24 hours) for the code for the same reason.

Answer 2

MD5 is fine to generate a hash, if you just want to create verification tokens you can use something like:

$token = md5(uniqid(mt_rand(), true));

Don't use MD5 for passwords unless you are using a salt, and even then you should use a stronger bcrypt algorithm.

Also see Generating cryptographically secure tokens