我们可以在 PHP 中使用 uniqid() 生成唯一的 Salt [英] Can we use uniqid() to generate a unique Salt in PHP

问题描述

我正在使用 bcrypt 来散列我的密码.但我也想用一些盐.我可以使用 uniqid() 函数为每个用户生成一个唯一的 Salt 吗?或者可能是具有更多熵的东西，例如

I'm using bcrypt to hash my passwords. But I would like to use some Salt with it as well. Can I use the uniqid() function to generate a unique Salt for every user? Or may be something with more entropy like

uniqid('', true);

我不了解生成盐的许多更复杂的方法.喜欢使用 for 循环和许多不同的函数.

I do not understand many of the more complex ways of generating Salts. like using for loops and many different functions.

谢谢.

推荐答案

的目的salt 是为了让 hash 难以匹配.话虽如此，这取决于您使用的哈希值和 有多容易 是为了碰撞.Bcrypt 非常强大 但它有它的缺点.

The purpose of a salt is to make it difficult to match the hash. That being said this depends of the hash you're using and how prone it is to collisions. Bcrypt is pretty strong but it has its drawbacks.

根据手册，此代码应生成一个 23 个字符的盐 .

This code should make a 23 character salt according to the manual.

printf("uniqid('', true): %s\r\n", uniqid('', true));

这为您提供(256 位)64 位数字:

This gets you (256 bits) 64 digits:

hash("sha256",time());

检出crypt.

使用 SALT 总是好的，因为它使找到原始密码变得更加困难(逆向工程).这并不意味着如果您对数据库进行匹配，他们就无法获得匹配的哈希冲突并允许他们访问.散列越长，每个位置的字符潜力越大，碰撞就越困难，你的系统就更强大(理论上).

Using a SALT is always good because it makes it harder to find the original password (reverse engineer). That doesn't mean they can't get a hash collision that matches and allows them access if you're doing a match against a database. The longer the hash and the more character potential per position makes a collision that much harder and your system stronger (in theory).

这篇关于我们可以在 PHP 中使用 uniqid() 生成唯一的 Salt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！