Crypt() with automatic salt

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Amuro Hajime
Forum Newbie
Posts: 2
Joined: Thu Oct 19, 2006 8:05 pm

Crypt() with automatic salt

Post by Amuro Hajime »

I currently use the crypt() function set to MD5 without a salt. I am kind of confused at the moment because when I read the php.net entry for crypt() it says:
If the salt argument is not provided, one will be randomly generated by PHP each time you call this function.

So when I go: $hash = crypt("mypassword");

Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.

The only drawback I can find to this automatic salt is if it was running in a loop. Which seems to imply that there is a period before PHP picks a new random salt. Anyone know how long that is?

Oh and sorry for raising the dead thread earlier. Won't happen again.
Post Reply