When users register an account they get an email with a verification code that they can click to verify their accounts.
This is how I generate the verification code.
md5(rand(0,1000)
Is using the method below a bad choice? It generates a random number between 0-1000. Since there are only 1000 options, and their MD5 hashes are known, it should take an attacker just a 1000 trials to verify the account without it really belonging to them
Just seed it with something the attacker could not know:
md5(rand(0,1000).'helloworld234');
There is no limit at how crasy you could go
md5(md5(time().'helloguys'.rand(0,9999)));
Way too much but you get the idea.