Search code examples

Is secure to use a md5 hash as registering string token?

I'm starting to develop the user's registration on my project. The users would confirm their registering by a link sent by email.

I thought I could use the email inserted on the form, plus a random salt, and hash this concatened string, so that becomes each string token unique. The link would be something like this:

I think it's good and easy to build, but I'm not sure if it's secure enough.

I'm developing this project using CakePHP 2.7 and SQL Server 2014.


  • It really depends on how you generate the MD5. Just ensure your data is random. I don't use MD5 for generating these types of hashes, and instead will do something like:

    $email_token = openssl_random_pseudo_bytes(16);
    $token = bin2hex($email_token);

    Personally, I would opt for something like this using random_bytes if using PHP7.

    $email_token = bin2hex(random_bytes($length));

    For PHP5 there's a polyfill available: