I am trying to create blowfish hashes, and I was wondering if this is enough to count on mt_rand () to create salt for me
function blowfish($string, $salt = NULL, $iterations = '08') { if( ! $salt) { $seed = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; for ($i = 0; $i < 22; $i++) { $salt .= $seed{mt_rand(0, 63)}; } $salt = '$2a$' . $iterations . '$' . $salt; } return crypt($string, $salt); }
The $ seed symbol above is a permitted 64-character animated orange nozzle . I plan to use this to generate and compare passwords.
$password = 'my^$%#password'; $hash = blowfish($password); if($hash = blowfish($password, $hash)) { print "Matches\n"; print $hash . "\n"; }
Edit
I never realized this, but what @zerkms says is true. Salts are only for preventing repeated re-attacks, as the salt is known at the same point that they have access to the hash. Thus, the goal is not an irreversible salt - it is a random salt.
So, is there something wrong with this?
function blowfish($string, $salt = NULL, $iterations = '12') { return crypt($string, $salt ?: "$2a\$$iterations$" . md5(uniqid('', true))); }
In addition, as noted in the header code and above, I do not implement my own hashing algorithm.
Update 2
Using the mcrypt extension, if loaded, leads to the following, which is actually faster because uniqid (u) is sleeping or something like that.
function blowfish($string, $salt = NULL, $iterations = '12') { return crypt($string, $salt ?: "$2a\$$iterations$" . base64_encode(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM))); }
Update 3
base64_encode is faster than md5, but it has invalid blowfish characters like + . So now it is changed to md5.
function blowfish($string, $salt = NULL, $iterations = '12') { return crypt($string, $salt ?: "$2a\$$iterations$" . md5(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM))); }