本文介绍了时间()是好盐吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 29岁程序员,3月因学历无情被辞! 我正在看一些我自己没有写过的代码。代码尝试使用SHA512对密码进行哈希处理,并使用 time()作为salt。是 time()太简单了,或者这个代码安全吗? 感谢您的回答和评论。我将在这里对新读者进行总结:对于每个用户来说, 盐应该是不同的,所以如果2个用户同时注册,它们的盐不会是唯一的。这是一个问题,但不是一个大问题。 但salt不应与用户有任何关系,所以time()不是一个好的盐。 使用随机均匀分布的高熵盐 随机,均匀分布,高熵 salt? 好的,我如何将time() 32字符长的随机字符串。随机字符串可以通过在一组字母字符上循环32次而生成。这听起来不错吗? $ b $ b 不, time()不是一个好的盐。 长答案: 至于什么似乎是你的随机盐的一个很好的来源 如果没有基于硬件的随机生成器,获取随机数据的最佳方式是询问操作系统(在Linux上,这称为 / dev / random 或 CryptGenRandom()) 如果由于某种原因,您无法访问上述提及者d源随机,在PHP中,您可以使用以下函数: <?php / ** *生成伪随机位 * @copyright:public domain * @link http://www.openwall.com/phpass/ * @param int $ length位生成 * @return字符串十六进制数字 * @note的字符串不会尝试改善这一点,您可能会毁掉它 * / 函数random_bits ($熵){ $ entropy / = 8; $ state = uniqid(); $ str =''; ($ i = 0; $ i $ state = md5(microtime()。$ state); 。 $ str。= md5($ state,true); $ str = unpack('H *',substr($ str,0,$ entropy)); //出于某种奇怪的原因,在某些机器上32位二进制数据以65出现!十六进制字符!? // so,添加了substr return substr(str_pad($ str [1],$ entropy * 2,'0'),0,$ entropy * 2); } ?> I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time() too simple a salt for this or is this code safe?Thanks for the answers and comments. I will sum it up here for the new readers:salt should be different for each user, so if 2 users register at the same time, their salts won't be unique. This is a problem, but not a big one.but salt shouldn't be in any way related to the user, so time() is not a good salt."Use a random, evenly distributed, high entropy salt." -- That's a mouthful, so what code could possibly generate a random, evenly distributed, high entropy salt?Ok, so how about I replace time() with a random string 32 char long. The random string could be generated from looping 32 times over a set of alphabet chars. Does that sound good? 解决方案 Short answer:No, time() is not a good salt.Long answer:As for what seems to be a good source for your random saltIn the absence of dedicated, hardware based, random generators, the best way of obtaining random data is to ask the operating system (on Linux, this is called /dev/random or /dev/urandom [both have advantages and problems, choose your poison]; on Windows, call CryptGenRandom())If for some reason you do not have access to the above mentioned sources of random, in PHP you could use the following function: <?php/** * Generate pseudo random bits * @copyright: public domain * @link http://www.openwall.com/phpass/ * @param int $length number of bits to generate * @return string A string with the hexadecimal number * @note don't try to improve this, you will likely just ruin it */function random_bits($entropy) { $entropy /= 8; $state = uniqid(); $str = ''; for ($i = 0; $i < $entropy; $i += 16) { $state = md5(microtime().$state); $str .= md5($state, true); } $str = unpack('H*', substr($str, 0, $entropy)); // for some weird reason, on some machines 32 bits binary data comes out as 65! hex characters!? // so, added the substr return substr(str_pad($str[1], $entropy*2, '0'), 0, $entropy*2);}?> 这篇关于时间()是好盐吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!