问题描述
我目前正在编写一个程序,其中一部分涉及安全地创建密码哈希以存储在数据库中,并且我遇到了框架,这似乎是强烈推荐。在phpass中,他们似乎经历了很长的时间来产生一个尽可能真正随机用于哈希的盐(例如从/ dev / urandom读取)。
我的问题是,这样做的好处是什么,而不是简单地使用 uniqid()
?难道不是简单地确定用于哈希的盐彼此不同而不是随机的吗?不会使用真正的随机盐,实际上比使用独特的盐更糟糕,因为它可能会产生碰撞,而uniqid()不会?
编辑:我的问题wasn关于计算机环境中是否存在真正的随机性,所以也许我误解了一点,但是我的问题更多地是基于更多随机盐是否比盐更具独特性有任何好处。 / p>
在PHP中,函数根据当前时间计算其结果。这有助于确保值是唯一的,因为没有两次出现两次,但这不适用于多个服务器,因为它纯粹是基于时间的。使用基于时间的东西是不好的,因为可以由 uniqid()
产生的不同的值非常有限。假设PHP已经使用了25年,计算结果为7.89e + 14微秒,因此已经产生了相同数量的 uniqid()
值。
这是一个非常大的数字,但假设我们能够得到一个真正的随机盐,碰撞的可能性实际上远低于使用 uniqid()
。可以用作盐的可能字符有:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 + /
这意味着我们有64个不同的字符可用于22个字符长的盐,它计算大约5.44e + 39种不同的组合。
因此,基本上,在试图使某种独特的东西时,它实际上比使用随机源时更独特。
I am currently writing a program and part of it involves securely creating password hashes to store in a database and I came across the phpass framework, which seems to be highly recommended. In phpass, they seem to go through great lengths to produce a salt that is as truly random as possible to be used for the hashes (e.g. reading from /dev/urandom).
My question is, what is the benefit of doing this as opposed to simply using uniqid()
? Isn't the point simply to make sure that the salts used for the hashes are different from each other rather than random? Wouldn't using a truly random salt actually be worse than using a unique salt since it could potentially produce collisions while uniqid() won't?
Edit: My question wasn't about whether or not "true" randomness exists in computer environments, so maybe I misphrased it a bit, however my question was more along the lines of whether a "more" random salt has any benefit over more uniqueness as a salt.
In PHP, the uniqid()
function calculates its result based on the current time. This helps ensure that the values are unique because no two times occur twice, however this does not work across multiple servers since it is purely time-based. Using something time-based is bad because the number of different values that can be produced by uniqid()
are very limited. Assuming that PHP has been in use for 25 years, this calculates to 7.89e+14 microseconds that have passed and therefore the same number of values for uniqid()
would have been produced.
This is a very large number, however assuming that we are able to get a truly random salt, the chance of a collision is actually far less than when using uniqid()
. The possible characters that can be used as a salt are:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
That means we have 64 different characters to use for a 22 characters long salt, which calculates to roughly 5.44e+39 different combinations.
So basically, in trying to make something unique, it is actually less unique than it would be if a random source were used.
这篇关于什么是“随机”的好处?盐在“独特的”盐?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!