Page 1 of 1

Crypt() with automatic salt

Posted: Thu Oct 19, 2006 8:36 pm
by Amuro Hajime
I currently use the crypt() function set to MD5 without a salt. I am kind of confused at the moment because when I read the php.net entry for crypt() it says:
If the salt argument is not provided, one will be randomly generated by PHP each time you call this function.

So when I go: $hash = crypt("mypassword");

Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.

The only drawback I can find to this automatic salt is if it was running in a loop. Which seems to imply that there is a period before PHP picks a new random salt. Anyone know how long that is?

Oh and sorry for raising the dead thread earlier. Won't happen again.