doutou7961 2015-05-09 22:29
浏览 185
已采纳

为什么srand(time())是一个糟糕的种子?

Using srand(time()) to generate a token for a password reset (or for a CSRF token) is bad because the token can be predictable.

I read these:

But I don't understand how the token can be predictable. I understand that if in one second I reset my password many times I get the same token. I have the following code:

<?php

srand(time());
$reset_password_token = rand(444444444444,999999999999);

?>

If I reset my password many times in one seconds, I know I get the same token but how can an attacker exploit this?

  • 写回答

4条回答 默认 最新

  • duandang2123 2015-05-09 22:45
    关注

    It limits the scope of their brute force. For instance they only need to attempt only 60 passwords if they know someone did a reset within the last minute.

    But it's worse than that. The attacker can get into any account they want by initiating a password reset for that account. After this, they generate a few tokens by repeatedly calling srand with the unix timestamp for the some small window of time around the reset, incrementing each time. One of those tokens must match unless your clock is way off.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog