"tmpnam()" does *not* provide 256 bits of randomness in its name. It was invented long, long ago when AT&T unix had a filename length limit of 14 characters, which limited the amount of randomness that could be applied. And things like /dev/random had not yet been invented, which means that you couldn't easily get good randomness to use to invent the name - an attacker could guess your PRNG seed. Hence, tmpnam() is considered insecure. But these days, all filesystems have much longer length limits, and so it is no problem to create a filename with an absurd amount of randomness taken from a high-quality source, such as /dev/random. The resulting filename is perfectly safe.