I am working on a php/mysql login system for a webproject. After looking through SO and alot of articles on the web Ive come up with a basic framework and started writing some code for it. However Ive come to a bit of an impasse in password encryption.
After a nights worth of reading Ive found out that:
- I should the users password with at least sha1 or sha2
- I should also use a randomly generated salt (this is what I need help with) and append it to the password before encrypting it
- the hashed password and the randomly generated salt should be stored in the database and then queried and combined/encrypted then checked against the users hashed password.
My problem is coming in randomly generating the salt,
Possibilities I can think of:
Use mt_rand() in a loop to pick an ASCII code, get the corresponding character with chr() and concatenate to salt.
This allows to create salts with any length.
Define a string with available characters, use mt_rand() in a loop to pick random positions from it, extract the character in the selected position with substr() or mb_substr() and concatenate to salt.
This allows to create salts with a chosen character set and length.
Use a builtin function that generates a random string (e.g. uniqid()) and optionally hash it.
This is quick and simple.
I normally use the second option.