UUID.randomUUID()是否适合用作一次性密码? [英] Is UUID.randomUUID() suitable for use as a one-time password?
问题描述
之前讨论过,确认电子邮件应该是有一个独特的,(实际上)不可猜测的代码 - 基本上是一个一次性密码 - 在确认链接中。
As previous discussed, confirmation emails should have a unique, (practically) un-guessable code--essentially a one-time password--in the confirmation link.
UUID是使用加密强大生成的伪随机
数字生成器。
The UUID is generated using a cryptographically strong pseudo random number generator.
这是否意味着正确实现的JVM中的UUID随机生成器适合使用作为唯一的,(实际上)不可猜测的OTP?
Does this imply that the the UUID random generator in a properly implemented JVM is suitable for use as the unique, (practically) un-guessable OTP?
推荐答案
否。根据< a href =https://www.ietf.org/rfc/rfc4122.txt\"rel =nofollow noreferrer> UUID规范:
不要以为UUID难以猜测;例如,它们不应被用作
安全功能(仅仅拥有
访问权限的标识符)。可预测的随机数源会加剧
的情况。
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example. A predictable random number source will exacerbate the situation.
此外,UUID只有16个可能的字符(0到F) 。您可以使用 SecureRandom
生成更紧凑且明确安全的随机密码(感谢@erickson)。
Also, UUIDs only have 16 possible characters (0 through F). You can generate a much more compact and explicitly secure random password using SecureRandom
(thanks to @erickson).
import java.security.SecureRandom;
import java.math.BigInteger;
public final class PasswordGenerator {
private SecureRandom random = new SecureRandom();
public String nextPassword() {
return new BigInteger(130, random).toString(32);
}
}
这篇关于UUID.randomUUID()是否适合用作一次性密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!