Menu
I am developing a site in php 5.4 and i was wondering which is better to use to gen a random salt for password security?
$salt = sha1(openssl_random_pseudo_bytes(23));
or
$seed = '';
$a = @fopen('/dev/urandom','rb');
$seed .= @fread($a,23);
$salt = sha1(seed);
or should i just go with:
$salt = openssl_random_pseudo_bytes(40);
or
$salt = '';
$a = @fopen('/dev/urandom','rb');
$salt .= @fread($a,23);
907
For security purposes you are better off using openssl_random_pseudo_bytes. OpenSSL takes care of gathering enough entropy to serve you good randomness. /dev/urandom is devised to never block and could be tricked into giving you not so random bytes.
With random bytes you do not need to run them through SHA1.
To sum it all, do:
$salt = openssl_random_pseudo_bytes(40, $cstrong);
if (! $cstrong) {
exit('This should not happen');
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
