Is using a CreateUUID() function as salt a good id

2019-06-16 12:04发布

问题:

I'm using coldfusion and I would like to generate a random salt field for my passwords. I was wondering if a CreateUUID() function is useful here. I found many examples which use a seperate function to create the salt string; but why do this when you could use rand() or CreateUUID() functions instead? I'm not sure.

Is it an overkill or a good idea? Or should I use rand() or a timestamp instead?

回答1:

This is not a good idea - CreateUUID guarantees uniqueness, not randomness; if you did a statistical analysis of CreateUUID, it most likely wouldn't be a distribution considered sufficiently random for cryptography, because it wasn't explicitly designed that way.

For example, the first n bytes of CreateUUID is your MAC address - i.e. always the same for every salt. By doing that, you've significantly decreased the amount of entropy that your salts have, thereby making them easier to crack. Use libraries to handle the whole auth scenario if at all possible, and if not, use a real rand() function.