I have a situation where an untrusted client is generating string IDs, but I don't want them to be human readable.

They don't need to be crytographically random or even unique, I just don't want IDs like "idiot" to be accepted.

How can I go about preventing this?

EDIT: It would be nice if the IDs were "aspirationally-unique", like GUIDs.

Here are some ideas:

• Convert the supplied ID to a hash or encrypt it. This will result in meaningless strings
• Create a dictionary of words you don't want used, and when the supplied ID contains one of those words, reject it... a PHP example can be found at https://scvinodkumar.wordpress.com/2009/06/17/bad-word-filter-and-replace/
• Require that the IDs not contain sequences where two (or however many) alpha characters are next to each other

If you have any additional info/preference/requirements, let me know.