Generating a salt in PHP

php random cryptography salt
qster picture qster · Mar 25, 2010 · Viewed 33.7k times · Source

What's the best way to generate a cryptographically secure 32 bytes salt in PHP, without depending on libraries seldom included in typical PHP installations?

After some googling I discovered that mt_rand is not considered secure enough, but I haven't found a suggestion for a replacement. One article suggested reading from /dev/random but not only this won't work on windows; it is also very slow.

I want a reasonable balance between security and speed (ie, it shouldn't take 20 seconds to generate 512 bytes, like /dev/random usually does)

Answer

Scott Arciszewski picture Scott Arciszewski · Dec 9, 2015

This is easier in PHP 7: Just use $salt = random_bytes($numberOfDesiredBytes); to generate a salt.

What do you need a salt for, anyway? If it's for passwords, just use password_hash() and password_verify().

Related questions

PHP random string generator

I'm trying to create a randomized string in PHP, and I get absolutely no output with this: <?php function RandomString() { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $randstring = ''; for ($i = 0; $i < 10; $i++) { $randstring = $characters[rand(0, strlen($characters))]; } return $randstring; } RandomString(); echo $…

Read More
PHP: How to generate a random, unique, alphanumeric string for use in a secret link?

How would it be possible to generate a random, unique string using numbers and letters for use in a verify link? Like when you create an account on a website, and it sends you an email with a link, and …

Read More
Generating a random password in php

I am trying to generate a random password in php. However I am getting all 'a's and the return type is of type array and I would like it to be a string. Any ideas on how to correct the …

Read More