Is secure to use a md5 hash as registering string token?

Question

I'm starting to develop the user's registration on my project. The users would confirm their registering by a link sent by email.

I thought I could use the email inserted on the form, plus a random salt, and hash this concatened string, so that becomes each string token unique. The link would be something like this:

http://www.example.com/register/7ddf32e17a6ac5ce04a8ecbf782ca509

I think it's good and easy to build, but I'm not sure if it's secure enough.

I'm developing this project using CakePHP 2.7 and SQL Server 2014.

Answer 1

It really depends on how you generate the MD5. Just ensure your data is random. I don't use MD5 for generating these types of hashes, and instead will do something like:

$email_token = openssl_random_pseudo_bytes(16);
$token = bin2hex($email_token);

Personally, I would opt for something like this using random_bytes if using PHP7.

$email_token = bin2hex(random_bytes($length));

For PHP5 there's a polyfill available: https://github.com/paragonie/random_compat

Answer 2

You should think about what a potential attacker could do if he is able to generate tokens that do not belong to him and then decide if the MD5 hash is good enough.

If I got it correctly you just want to verify a users email and only create an account if the user really owns the email address. Would it be bad for you or the owner of the address if an attacker creates 1000 accounts with faked emails?

As always, security depends on the situation, IMO.

If you want to play it safe, don't let your token depend on user data. Generate a completely random token and save it beside the pending registration in your database.