Duplication of Generated PIN codes?

itservices

Hi,
I'm new to PHP and have a fellow helping to write a program to generate pin codes. Just to find out if it's possible to have duplication of these numbers. I.E. What are the possibilities of having another program that will possibly generate similar pin codes or at least some? Is this possible by any chance?

laserlight

By rough reckoning, a random 6 digit numeric PIN code generator would be expected to generate a duplicate PIN code after around the square root of 1 million, i.e., after about 1000 PIN codes have been generated.

On the other hand, PIN codes are supposed to be secret, so it does not matter if there are duplicates.

Xager

laserlight beat me too it =)

itservices

Many thanks. But to be more specific, what are the possibilities of hacking into a PHP program that generates pin codes by hackers? Any recommendation on how to make te program parmanently immune to hacking?

laserlight

But to be more specific, what are the possibilities of hacking into a PHP program that generates pin codes by hackers? Any recommendation on how to make te program parmanently immune to hacking?

You need to be more specific about what this PHP script does and what the PIN number is for. After all, a PIN number is no more than a numeric password. If you actually need a proper password, then generating short numeric passwords is a bad idea. It works for the PIN numbers used at ATMs because the user needs both the password and the ATM card, and a brute force attack to guess the password is difficult because it must be entered manually.

itservices

Hi, what the program is meant to do is to generate about 12 or 16 digits numeric numbers (pin) similar to the one used on payphone scratch cards. This is to be used for similar purposes on commercial basis. Hope it's a bit now more clearer. Thanks.

laserlight

In that case the security concern is with your server and the transmission of the PIN numbers. If your server is insecure, or the PIN numbers are communicated in the clear, then there is a security problem.

itservices

To get it straight, are you saying that there is no any known way on earth (at least at the moment) whereby a smart programmer can write another program that will generate same pin numbers (same as the ones from my own PHP program) or have some ways of breaking into my source codes over in internet to do same except there are security problems with my server?

If yes, are there other ways of securing a server other that going for the highest level of security with people like verisign, etc? Many thanks.

Desdinova

It depends a lot on the way you construct your PIN (personal identifcation Number « the number is already in here). If there's clear logic behind it, it might be cracked. if it's random and seeded properly, it might not be cracked.

Of course they'd need to see at least a few PINs to be able to crack the logic behind it. Unless they just try, and guess it right (which could be coincidence on their side, or bad logic on yours).

laserlight

To get it straight, are you saying that there is no any known way on earth (at least at the moment) whereby a smart programmer can write another program that will generate same pin numbers (same as the ones from my own PHP program) or have some ways of breaking into my source codes over in internet to do same except there are security problems with my server?

If someone knows what pseudorandom number generator (PRNG) is used, and what is the seed of that generator at the time that the PIN numbers were generated, then that person can regenerate the PIN numbers. The problem is that with a good PRNG and the use of random sources for the seed, it is very difficult to figure out the seed. It is much easier to simply intercept network traffic and find out what is the password, or to break into the server and find the password stored in the database, but encryption can stop these methods. If there is a way to electronically check for a valid PIN number without limit (or with a circumventable limit), then that would be easiest.

2. If yes, are there other ways of securing a server other that going for the highest level of security with people like verisign, etc? Many thanks.

You would need to harden the server itself, not just have encryption for data storage and transmission. But this is just common sense in server administration.

Xager

First of all as suggested, encrypt the codes (use https for starters).
The it all comes down to what seed you are using, try not to use the time since if anyone has the same time as you they WILL get the exact same codes as you.

itservices

Many thanks to all. Your contibutions has been very fantastic and eye opening!