doutou7961 2015-05-09 22:29
浏览 185
已采纳

为什么srand(time())是一个糟糕的种子?

Using srand(time()) to generate a token for a password reset (or for a CSRF token) is bad because the token can be predictable.

I read these:

But I don't understand how the token can be predictable. I understand that if in one second I reset my password many times I get the same token. I have the following code:

<?php

srand(time());
$reset_password_token = rand(444444444444,999999999999);

?>

If I reset my password many times in one seconds, I know I get the same token but how can an attacker exploit this?

  • 写回答

4条回答 默认 最新

  • duandang2123 2015-05-09 22:45
    关注

    It limits the scope of their brute force. For instance they only need to attempt only 60 passwords if they know someone did a reset within the last minute.

    But it's worse than that. The attacker can get into any account they want by initiating a password reset for that account. After this, they generate a few tokens by repeatedly calling srand with the unix timestamp for the some small window of time around the reset, incrementing each time. One of those tokens must match unless your clock is way off.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 matlab实现基于主成分变换的图像融合。
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制
  • ¥20 usb设备兼容性问题
  • ¥15 错误(10048): “调用exui内部功能”库命令的参数“参数4”不能接受空数据。怎么解决啊