1

How to make absolutely original salt for every user? Is it better to use time() function in PHP?

treng
  • 1,665
  • 3
  • 15
  • 22

4 Answers4

4

In many cases, a simple uniqid(mt_rand(), true) will do to generate a random salt. Combined with Blowfish should give you a pretty good password hash.

Alternatives are a pseudo random source such as /dev/urandom or openssl_pseudo_random_bytes(). There are also services that generate random data for you (based on radio-active degradation).

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • i think it is openssl_random_pseudo_bytes ( ) from [link](http://php.net/openssl_random_pseudo_bytes) – Loonb Sep 05 '12 at 22:00
3

use this line to generate strong salt in php

 $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
2

Consider using a random salt instead of non-random.. Maybe you will find something useful in this article http://www.gregboggs.com/php-blowfish-random-salted-passwords/

Also take a look at this article http://codahale.com/how-to-safely-store-a-password/

One approach is to generate a unique salt for every user and store that salt in DB also.

Another good approach is that algorithm, which generates hash of your password MUST calculate salt more than second. The more complicated your hashing algorithm would be - the more problems will face a person who wants to hack your DB

Ribtoks
  • 6,634
  • 1
  • 25
  • 37
  • I don't understand what you mean by "MUST calculate salt more than second." Do you mean it should take longer than a second to execute? Please elaborate on this. – nullability Aug 06 '13 at 15:08
  • @nullability yes, longer than a second to execute – Ribtoks Apr 27 '16 at 07:39
1

You can use microtime() function in PHP to generate a number based on microsecond, not seconds which makes it almost impossible for a user to have a equal salt with another user. You can also multiply this number with the user's ID.

Maybe a md5(uniqid()) is enough for salt for your application.

Edit: forgot to mention the more_entropy parameter with the uniqid() function. It will lesser the chances of same strings even when the function runs two times at the same microsecond, so the edited function should look like:

$salt = md5(uniqid($user_id, TRUE));
dande
  • 233
  • 2
  • 11