I use the Adam Griffiths authentication library for CodeIgniter and I am setting up a usermodel.
I came across a generation function that it uses to generate tokens.
His preferred approach is to reference a value from random.org, but I thought that was redundant. I use his approach back to randomly generating a string of 20 characters long:
$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';
for ($i = 0; $i < $length; $i++) {
$token .= $characters[mt_rand(0, strlen($characters)-1)];
}
Then it hashes this token using salt (I am combing code from different functions)
sha1($this->CI->config->item('encryption_key').$str);
I was wondering if there is any reason to run a token through a salty hash?
I read that just randomly generating strings was a naive way to create random passwords, but do I need to have a hash and salt sh1?
: encryption_key https://www.grc.com/passwords.htm (63 -)