md5(uniqid)对随机唯一标记有意义吗? [英] md5(uniqid) makes sense for random unique tokens?
问题描述
我想创建一个令牌生成器,生成用户无法猜出并且仍然唯一的令牌(用于密码重置和确认代码)。
<我经常看到这个代码;它是否有意义?
md5(uniqid(rand(),true));
根据 comment uniqid($ prefix,$ moreEntopy = true)
yield
前8个十六进制字符= Unixtime,后五个十六进制字符=微秒。
我不知道如何处理 $前缀
- 参数。
问题: 但是如果我们使用 uniqid
和 $ moreEntopy
,那么用md5对它进行散列会给我们带来什么呢?是否比好:
md5(mt_rand())
edit1:我会将此令牌存储在具有唯一索引的数据库列中,因此我会检测列。可能有兴趣/
rand()是一种安全隐患,永远不应该用于生成安全令牌: rand()vs mt_rand()(看看像图片一样的静态)。但是这些生成随机数字的方法都不是密码安全的。为了生成安全的secerts,应用程序需要访问由平台,操作系统或者其他平台提供的 CSPRNG 。硬件模块。
在web应用程序中,安全机密的一个很好的来源是非阻塞访问熵池,如 I want to create a token generator that generates tokens that cannot be guessed by the user and that are still unique (to be used for password resets and confirmation codes). I often see this code; does it make sense? According to a comment first 8 hex chars = Unixtime, last 5 hex chars = microseconds. I don't know how the So if you don't set the $moreEntopy flag to true, it gives a predictable outcome. QUESTION: But if we use edit1: I will store this token in an database column with a unique index, so I will detect columns. Might be of interest/ rand() is a security hazard and should never be used to generate a security token: rand() vs mt_rand() (Look at the "static" like images). But neither of these methods of generating random numbers is cryptographically secure. To generate secure secerts an application will needs to access a CSPRNG provided by the platform, operating system or hardware module. In a web application a good source for secure secrets is non-blocking access to an entropy pool such as
这篇关于md5(uniqid)对随机唯一标记有意义吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! / dev / urandom
。从PHP 5.3开始,PHP应用程序可以使用 openssl_random_pseudo_bytes()
,Openssl库将根据您的操作系统选择最佳的熵源,这意味着应用程序将使用的/ dev / urandom的
。这个斯科特的代码片断很不错, a>:
pre code $ function $ $ $ $ $ $ $ $ $ $ $ $ $ $ $;
if($ range <0)return $ min; //不是随机的...
$ log = log($ range,2);
$ bytes =(int)($ log / 8)+ 1; //字节长度
$ bits =(int)$ log + 1; //比特长度
$ filter =(int)(1 <= $ bits)-1; //将所有低位设置为1
do {
$ rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($ bytes)));
$ rnd = $ rnd& $过滤器; ($ rnd> = $ range); //丢弃无关位
};
返回$ min + $ rnd;
}
函数getToken($ length = 32){
$ token =;
$ codeAlphabet =ABCDEFGHIJKLMNOPQRSTUVWXYZ;
$ codeAlphabet。=abcdefghijklmnopqrstuvwxyz;
$ codeAlphabet。=0123456789;
for($ i = 0; $ i <$ length; $ i ++){
$ token。= $ codeAlphabet [crypto_rand_secure(0,strlen($ codeAlphabet))];;
}
返回$ token;
}
md5(uniqid(rand(), true));
uniqid($prefix, $moreEntopy = true)
yields
$prefix
-parameter is handled..
uniqid
with $moreEntopy
, what does hashing it with md5 buy us? Is it better than:md5(mt_rand())
/dev/urandom
. As of PHP 5.3, PHP applications can use openssl_random_pseudo_bytes()
, and the Openssl library will choose the best entropy source based on your operating system, under Linux this means the application will use /dev/urandom
. This code snip from Scott is pretty good:function crypto_rand_secure($min, $max) {
$range = $max - $min;
if ($range < 0) return $min; // not so random...
$log = log($range, 2);
$bytes = (int) ($log / 8) + 1; // length in bytes
$bits = (int) $log + 1; // length in bits
$filter = (int) (1 << $bits) - 1; // set all lower bits to 1
do {
$rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
$rnd = $rnd & $filter; // discard irrelevant bits
} while ($rnd >= $range);
return $min + $rnd;
}
function getToken($length=32){
$token = "";
$codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
$codeAlphabet.= "0123456789";
for($i=0;$i<$length;$i++){
$token .= $codeAlphabet[crypto_rand_secure(0,strlen($codeAlphabet))];
}
return $token;
}