为忘记密码生成随机令牌的最佳实践 [英] best practice to generate random token for forgot password
问题描述
我想为忘记密码生成标识符.我读到我可以通过将时间戳与 mt_rand() 一起使用来做到这一点,但有些人说时间戳可能不是每次都是唯一的.所以我在这里有点困惑.我可以通过使用时间戳来实现吗?
I want to generate identifier for forgot password . I read i can do it by using timestamp with mt_rand(), but some people are saying that time stamp might not be unique every time. So i am bit of confused here. Can i do it with using time stamp with this ?
问题
生成自定义长度的随机/唯一标记的最佳做法是什么?
Question
What's best practice to generate random/unique tokens of custom length?
我知道这里有很多问题,但在阅读了不同人的不同意见后,我越来越困惑.
I know there are lot of questions asked around here but i am getting more confused after reading different opinion from the different people.
推荐答案
在 PHP 中,使用 random_bytes().原因:您正在寻找获取密码提醒令牌的方法,并且,如果它是一次性登录凭据,那么您实际上有一个数据需要保护(即 - 整个用户帐户)
In PHP, use random_bytes(). Reason: your are seeking the way to get a password reminder token, and, if it is a one-time login credentials, then you actually have a data to protect (which is - whole user account)
所以,代码如下:
//$length = 78 etc
$token = bin2hex(random_bytes($length));
<小时>
更新:以前版本这个答案是指uniqid() 如果存在安全问题而不仅仅是唯一性问题,那么这是不正确的.uniqid() 本质上只是带有一些编码的 microtime().有一些简单的方法可以准确预测服务器上的 microtime().攻击者可以发出密码重置请求,然后尝试通过几个可能的令牌.如果使用 more_entropy,这也是可能的,因为附加熵同样很弱.感谢 @NikiC 和 @ScottArciszewski 指出这一点.
Update: previous versions of this answer was referring to uniqid() and that is incorrect if there is a matter of security and not only uniqueness. uniqid() is essentially just microtime() with some encoding. There are simple ways to get accurate predictions of the microtime() on your server. An attacker can issue a password reset request and then try through a couple of likely tokens. This is also possible if more_entropy is used, as the additional entropy is similarly weak. Thanks to @NikiC and @ScottArciszewski for pointing this out.
更多详情见
这篇关于为忘记密码生成随机令牌的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
