0

I'm using bcrypt to hash my passwords. But I would like to use some Salt with it as well. Can I use the uniqid() function to generate a unique Salt for every user? Or may be something with more entropy like 

uniqid('', true);

I do not understand many of the more complex ways of generating Salts. like using for loops and many different functions.

Thank you.

Sameer Zahid
  • 553
  • 1
  • 9
  • 20
  • have a look at http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – James Birkett May 24 '13 at 20:54
  • Most BCrypt implementations will automatically generate a safe salt. PHP's new function [password_hash()](http://www.php.net/manual/de/function.password-hash.php) will for example read from the random source of the operating system. It is the best you can do, so you should not generate your own salt in this case. – martinstoeckli May 27 '13 at 07:37

1 Answers1

2

The purpose of a salt is to make it difficult to match the hash. That being said this depends of the hash you're using and how prone it is to collisions. Bcrypt is pretty strong but it has its drawbacks.

This code should make a 23 character salt according to the manual.

printf("uniqid('', true): %s\r\n", uniqid('', true));

This gets you (256 bits) 64 digits:

hash("sha256",time());

Check-out crypt as well.

Using a SALT is always good because it makes it harder to find the original password (reverse engineer). That doesn't mean they can't get a hash collision that matches and allows them access if you're doing a match against a database. The longer the hash and the more character potential per position makes a collision that much harder and your system stronger (in theory).

AbsoluteƵERØ
  • 7,816
  • 2
  • 24
  • 35