如何产生优质的盐-我的功能是否足够安全? [英] How to generate a good salt - Is my function secure enough?

问题描述

这是我用来生成随机盐的函数:

Here's the function I'm using to generate random salts:

function generateRandomString($nbLetters){
    $randString="";
    $charUniverse="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    for($i=0; $i<$nbLetters; $i++){
       $randInt=rand(0,61);
        $randChar=$charUniverse[$randInt];
        $randString=$randomString.$randChar;
    }
    return $randomString;
}

这是针对非商业网站的.它仅用于生成盐(存储在db中，并与用户提交的pw一起用于散列).

This is for a non commercial website. It's only used to generate the salt (to be stored in the db and used along with the user submitted pw for hashing).

这合适吗?我应该使用更大的字符子集吗?如果是，是否有一种简单的方法可以在PHP中做到这一点?

Is this appropriate? Should I use a larger subset of characters, and if so is there an easy way to do that in PHP?

推荐答案

如果要对密码进行哈希处理，则应使用现代的哈希算法，该算法不需要您自己生成盐.使用弱哈希算法会给您和您的用户带来危险.我的原始答案是八年前写的.时代变了，密码哈希现在变得容易得多.

If you are hashing passwords, you should use a modern hashing algorithm that does not require you to generate your own salt. Using weak hashing algorithms presents a danger to both you and your users. My original answer was written eight years ago. Times have changed, and password hashing is a lot easier now.

您应该始终使用内置函数来哈希/检查密码.随时使用自己的算法会带来大量不必要的风险.

You should always use built in functions to hash/check passwords. Using your own algorithms at any point introduces a huge amount of unnecessary risk.

对于PHP，请考虑将 password_hash()与PASSWORD_BCRYPT算法.无需提供自己的盐.

For PHP, consider using password_hash(), with the PASSWORD_BCRYPT algorithm. There is no need to provide your own salt.

以下是我的原始答案，以供后代使用:

Below is my original answer, for posterity:

警告:根据在 php sha1页面中:

$salt = uniqid(mt_rand(), true);

这看起来比您的建议更简单，更有效(因为每个都是唯一的).

This looks simpler, and more effective (since each is unique) than what you have proposed.

这篇关于如何产生优质的盐-我的功能是否足够安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！