Usally we use mt_rand
to create a random salt to use it with crypt()
.
But according to mt_rand
manual page on php's site "not be used for cryptographic purposes[...]consider using openssl_random_pseudo_bytes() instead." Also, at crypt
manual page on php's site, someone suggest to use the
mcrypt_create_iv
So, to test them, I took this crypt's wrapper and change the following line
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
//change it to
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", openssl_random_pseudo_bytes(63, $cstrong), 50);
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mcrypt_create_iv(63, MCRYPT_RAND), 50);
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_srand(), 1);
Then I commented all the lines except one and start running the code, to check each function. I refreshed my page and the validation works fine. But when I run openssl_random_pseudo_bytes
or mcrypt_create_iv
I see the same hash frequently.
$2y$08$$$$$$$$$$$$$$$$$$$$$$.UrC6Lo4LNk8iLmoi25KEoVzHHTK7tNC
I saw the above hash like 10 times.
When I use mt_srand
the hash never changes at all.
I test the same functions in another, simpler wrapper, found here and they act the same as I described above.
I am a begginer with hashing and crypt
. I'm confused, what should I actually use?