I’ve been given the task of generating some gift tokens which comprise a serial number and a pin number, analagous to a pre-paid credit card. The serial and pin will be printed on a card, with the pin behind a scratch panel.
My first thought is for both numbers to be randomly generated with the serial number being unique. Is this secure against guessing?
To my simple mind, adding any kind of logic would make the numbers more gussable as there’d then be something to figure out and understand, whereas random is without reason (ignoring implementation details for now), and so while being simple using pure random gives the attacker less to work with.
Is this a flawed assumption? Are there known “good” ways of doing this?