Pin System
 

Hi guys, i have a special problem to solve :P

this is the thing, i need a pin system, so if a user enters a pin (a 12 digits code might be) he will gain acces to certain area.

The problem is i just can't figure out a correct and secure way to generate those codes, should i have to generate them randomly, how many should i generate or anything...?

if anyone of you have info about a similar system please let me know.

Random generation is fine, one random generation will be sufficient per pin.

just make sure that the pin generated is unique. I haven't done anything like this, but I am guessing the encrypting functions (like md5, sha1, base, ...) could come in handy along with the random function.

I don't see how an encryption function would be of any use, MD5 and SHA1 both turn something into a given length base-16 number (meaning numbers and a-f). This has less possibilities than all letters and numbers.

Uniqueness is only a requirement if it is the only source of verification. Not allowing keys to be duplicated lessens the possible amount combination the user could have. Although this makes no real difference in practice.

Thanks for your help :)
well VI, i need only number codes in fact.

I was thinking of another problem :P, what if after a couple of year i've generated tons of Pins, wha should i do?? reset them all? (i don't think this is a good idea, cause people might use their old pins), maybe adding one more digit?? (adding a digit is a pain in the ass for users, but all new pins would be unique)

Seven digits will cover 9,999,999 pins, five alpha-numeric characters will hold 36^5 or 52,521,875 different possibilities. But when you get even close to full, it becomes a security risk. Even using .1% will take 1,000 tries on average to correctly guess. I highly recommend a user name and password opposed to singularly validating by a pin.

At work, for any system of reasonable value we force at least eight characters with at least one number, upper case letter and punctuation mark. This means that each user has 8^63 possible combination, but a strong password (ten or more chars) has at least 10^63 .

If you use sha1 to hash your passwords (and make guessing the sha1 value directly available), you are limited to 28^16 since that is the number of possible combination a 28 place base-16 digit can hold. But that is why you shouldn't store the password even if hashed directly in the cookie.

The way I've done this in the past was:

And then cut the $pin value down to the first 'x' amount of characters.

What i would do is generate a new pin every 30 days that way you can delete the old one and it wont be so many :)

How would that reduce the numbers? Deleting one and creating another really does nothing,

Yeah VI, a username and password is more secure, but suppose this is a paid service, you register in a website by paying online. But these pins are a tangible way to register (they will be a piece of paper wich will be bought somewhere :P), so after buying these pin you can register in the site without paying online, in other words those pins are an alternative of paying online.

If it can be written down, make it alpha-numeric (non case sensitive) and rather long. 15 characters would be easily suitable.