I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just
time() as the salt. Is
time() too simple a salt for this or is this code safe?
Thanks for the answers and comments. I will sum it up here for the new readers:
- salt should be different for each user, so if 2 users register at the same time, their salts won't be unique. This is a problem, but not a big one.
- but salt shouldn't be in any way related to the user, so time() is not a good salt.
- "Use a random, evenly distributed, high entropy salt." -- That's a mouthful, so what code could possibly generate a
random, evenly distributed, high entropysalt?
Ok, so how about I replace time() with a random string 32 char long. The random string could be generated from looping 32 times over a set of alphabet chars. Does that sound good?
time()is not a good salt.
copied from my answer to Salt Generation and open source software
As for what seems to be a good source for your random salt
Also read: What is the most secure seed for random number generation?
In the absence of dedicated, hardware based, random generators, the best way of obtaining random data is to ask the operating system (on Linux, this is called
/dev/urandom[both have advantages and problems, choose your poison]; on Windows, call
If for some reason you do not have access to the above mentioned sources of random, in PHP you could use the following function:
From the source of phpass v0.3