我应该使用urandom还是openssl_random_pseudo_bytes? [英] should i use urandom or openssl_random_pseudo_bytes?
本文介绍了我应该使用urandom还是openssl_random_pseudo_bytes?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在用php 5.4开发一个站点,我想知道哪种更好的方法来生成随机盐来提高密码安全性?
I am developing a site in php 5.4 and i was wondering which is better to use to gen a random salt for password security?
$salt = sha1(openssl_random_pseudo_bytes(23));
或
$seed = '';
$a = @fopen('/dev/urandom','rb');
$seed .= @fread($a,23);
$salt = sha1(seed);
或者我应该选择:
$salt = openssl_random_pseudo_bytes(40);
或
$salt = '';
$a = @fopen('/dev/urandom','rb');
$salt .= @fread($a,23);
推荐答案
出于安全目的,最好使用openssl_random_pseudo_bytes. OpenSSL负责收集足够的熵以为您提供良好的随机性. /dev/urandom被设计为从不阻止,并且可能被欺骗以提供不那么随机的字节.
For security purposes you are better off using openssl_random_pseudo_bytes. OpenSSL takes care of gathering enough entropy to serve you good randomness. /dev/urandom is devised to never block and could be tricked into giving you not so random bytes.
对于随机字节,您不需要通过SHA1来运行它们.
With random bytes you do not need to run them through SHA1.
总而言之,请执行以下操作:
To sum it all, do:
$salt = openssl_random_pseudo_bytes(40, $cstrong);
if (! $cstrong) {
exit('This should not happen');
}
这篇关于我应该使用urandom还是openssl_random_pseudo_bytes?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
