>That's what we did in a previous site, we had over 100
characters, but I felt that with being able to generate images
> using code that we could increase the potential number
of available images, otherwise they could potentially
> figure out all of our codes at some point, depending on
how the code revealed it, we use huge encrypted codes
> appended to the uid of each image, but rhere was always
a risk with that
This is common and totally false opinion that adding
"randomness" increases security. Note that whatever you do
programmatically will not be random anyway. Common sense
"randomness" often is not random at all.
"Huge encrypted codes" - what for? There is a well known
approach used, for example, in NTLM or Digest to transmitt
authetication without sending credentials. Of course, if you just
base64 encode the content of the image, you might be in trouble.
Again, with a good random sequence using proven methods of
transmitting authentication credentials, static pool will work as
good as real "random" image. Opposite is also true: if I can figure
it out how you generate your "random" numbers (just Rand()?), I can
find your next number. If I crack your "Huge encrypted codes", I
even do not need to look at the image.
Just curious, what kind of Web-site you are
protecting???