正在使用 microtime() 生成密码重置令牌不好的做法 [英] Is using microtime() to generate password-reset tokens bad practice

问题描述

在 PHP 中，我注意到一些框架使用 microtime() 函数来生成密码重置令牌，如下所示:

In PHP I've noticed some frameworks make use of the microtime() function to generate password reset tokens as in:

  $token = md5(microtime());

这是安全问题吗?如果攻击者能够将时钟与服务器同步到一定程度的准确度，他们就可以暴力破解令牌.1 秒同步只需要 1,000,000 次尝试，这不是一个太疯狂的问题.

Is this a security issue? If the attacker is able to synchronize the clocks with the server to a degree of accuracy they could brute force the token. 1sec synchronization will only require 1,000,000 tries and this is not too crazy of an issue.

这次攻击成功的可能性有多大?应该使用/dev/urandom 或 openssl_pseudo_bytes() 生成令牌吗?microtime() 是不好的做法吗?

How likely is this attack to succeed? Should one be generating tokens with /dev/urandom or openssl_pseudo_bytes() instead? Is microtime() bad practice?

推荐答案

是的，这是一个安全问题！随时间生成令牌是一种非常糟糕的做法.Burp Suite 使攻击者可以轻松地暴力破解可预测的令牌，而基于时间的令牌非常可预见的.Burp 允许某人轻松收集令牌并对它们进行统计分析以确定熵.使用此信息，您可以轻松预测未来的代币.

Yes it is a security issue! Generating tokens with time is a very bad practice. Burp Suite makes it trivial for an attacker to brute force tokens that are predictable, and tokens based on time are very predictable. Burp allows someone to easily gather tokens and perform statistical analysis on them to determine entropy. Using this info you can easily predict future tokens.

请记住，攻击者只需要做对一次.错误数百万次没有任何区别.

Remember, the attacker only needs to get it right once. Getting it wrong millions of times makes no difference.

这是一篇关于令牌生成的有用(和最近)StackOverflow 帖子，可能对您有帮助:REST Web 服务身份验证令牌实现

Here is a useful (and recent) StackOverflow post about token generation that may be helpful to you: REST Web Service authentication token implementation

这篇关于正在使用 microtime() 生成密码重置令牌不好的做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！