0

I know this may be somewhat a common question, there are SO many articles across the net about generating secure salts for password hashing. So far I've picked up the mcrypt_create_iv is generally used for initialisation vectors for encryption, it can be used to create salt securely especially when used against MCRYPT_DEV_RANDOM.

For some reason despite people having success with it, whenever I use:

$Salt = mcrypt_create_iv(22, MCRYPT_DEV_RANDOM);

Apply it to the hash, then separately input it into the db. When coming back and authenticating and putting it all together... it never seems to work correctly.

Are there some characters that are generated by the mcrypt_create_iv function that aren't compatible with crypt? Because the second I use a somewhat plaintext salt whether generated from a secure source or not.. it works fine. But I would like to make use of the special characters mcrypt uses.

(Also, I am using the $6$ algorithm on crypt so only 16 bytes required for the salt)

Any help would be appreciated!

Thanks :)

Darren
  • 13,050
  • 4
  • 41
  • 79
Hazzard
  • 13
  • 3

1 Answers1

1

I recommend using the password_hash() family of functions, as these will take care of the hashing for you completely. They also offer future-compatibility, and is generally the recommended method for handling passwords in PHP.

Read more about how to use them in this answer: https://stackoverflow.com/a/6337021/5086233

As for your original question: I suspect a charset issue somewhere, but without seeing the code (and table definition) that handles the hash it's impossible to tell.

Community
  • 1
  • 1
ChristianF
  • 2,068
  • 9
  • 14
  • Cheers. My server is using PHP 5.4, according to the php.net article it's 5.5 and greater. No matter, your post was helpful anyway. I changed the collation in the db to utf-unicode-ci just on the salt and it works now :) – Hazzard Oct 04 '16 at 12:07
  • 1
    There is a compatibility layer that you can used, which is linked to in the answer I posted. Which is feature-identical to the built-in functions. ;) – ChristianF Oct 04 '16 at 12:08
  • You're welcome. Please remember to upvote and/or accept the answers. :) – ChristianF Oct 04 '16 at 12:14
  • @Hazzard - Here is the link to the [compatibility pack](https://github.com/ircmaxell/password_compat/blob/master/lib/password.php), it is just a standalone php file. With the password_hash() function you won't have to store the salt separately. – martinstoeckli Oct 04 '16 at 18:27