Crypt() with automatic salt
Posted: Thu Oct 19, 2006 8:36 pm
I currently use the crypt() function set to MD5 without a salt. I am kind of confused at the moment because when I read the php.net entry for crypt() it says:
So when I go: $hash = crypt("mypassword");
Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.
The only drawback I can find to this automatic salt is if it was running in a loop. Which seems to imply that there is a period before PHP picks a new random salt. Anyone know how long that is?
Oh and sorry for raising the dead thread earlier. Won't happen again.
If the salt argument is not provided, one will be randomly generated by PHP each time you call this function.
So when I go: $hash = crypt("mypassword");
Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.
The only drawback I can find to this automatic salt is if it was running in a loop. Which seems to imply that there is a period before PHP picks a new random salt. Anyone know how long that is?
Oh and sorry for raising the dead thread earlier. Won't happen again.