使用 CreateUUID() 函数作为盐是个好主意吗? [英] Is using a CreateUUID() function as salt a good idea?

问题描述

我正在使用 Coldfusion 并且我想为我的密码生成一个随机盐字段.我想知道 CreateUUID() 函数在这里是否有用.我发现了许多使用单独函数来创建盐串的例子；但是当您可以使用 rand() 或 CreateUUID() 函数时，为什么要这样做呢?我不确定.

I'm using coldfusion and I would like to generate a random salt field for my passwords. I was wondering if a CreateUUID() function is useful here. I found many examples which use a seperate function to create the salt string; but why do this when you could use rand() or CreateUUID() functions instead? I'm not sure.

这是一个矫枉过正还是一个好主意?或者我应该使用 rand() 还是时间戳?

Is it an overkill or a good idea? Or should I use rand() or a timestamp instead?

推荐答案

这不是一个好主意 - CreateUUID 保证唯一性，而不是随机性;如果您对 CreateUUID 进行统计分析，它很可能不会被认为是足够随机的密码学分布，因为它没有明确设计成那样.

This is not a good idea - CreateUUID guarantees uniqueness, not randomness; if you did a statistical analysis of CreateUUID, it most likely wouldn't be a distribution considered sufficiently random for cryptography, because it wasn't explicitly designed that way.

例如，CreateUUID 的前 n 个字节是您的 MAC 地址 - 即对于每个盐总是相同的.通过这样做，您已经显着降低了盐的熵量，从而使它们更容易破解.如果可能，请使用库来处理整个身份验证场景，如果没有，请使用真正的 rand() 函数.

For example, the first n bytes of CreateUUID is your MAC address - i.e. always the same for every salt. By doing that, you've significantly decreased the amount of entropy that your salts have, thereby making them easier to crack. Use libraries to handle the whole auth scenario if at all possible, and if not, use a real rand() function.

这篇关于使用 CreateUUID() 函数作为盐是个好主意吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！