0

Using T-SQL as per the snippets below, which method is superior (or is it a tie)?

 -- method 1: DIY 
 SET @Salt = ''
 WHILE LEN(@Salt) < 72
 BEGIN
   SET @Salt = @Salt + CHAR(CONVERT(INT, Floor(RAND() * (126.0 - 33 + 1) + 33)))
 END

-- method 2: concatenating 2 GUIDs
 SET @Salt = CONVERT(VARCHAR(36), NEWID()) + CONVERT(VARCHAR(36), NEWID())```
user84957
  • 1
  • Now at least we can have Robert');DROP TABLE Students;-- in a salt. See obligatory XKCD, and this if you don't quite get it. Worry about unpredictability of RAND() and NEWID() in whatever the environment is. What CONVERT(VARCHAR(36), NEWID()) does is language-dependent, thus off-topic. – fgrieu Nov 17 '20 at 07:12
  • What is the usage of this salt? – kelalaka Nov 17 '20 at 16:28

1 Answers1

1

Neither. The RAND function in method 1 isn't cryptographically random; the GUID generation is only random with version 4, and isn't guaranteed to be of cryptographic quality.

DannyNiu
  • 9,207
  • 2
  • 24
  • 57