mt_rand() is not secure from a cryptographic point of view, let's use openssl_random_pseudo_bytes() here