I’m using Adam Griffiths’s Authentication Library for CodeIgniter and I’m tweaking the usermodel.
I came across a generate function that he uses to generate tokens.
His preferred approach is to reference a value from random.org but I considered that superfluous. I’m using his fall back approach of randomly generating a 20 character long string:
$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';
for ($i = 0; $i < $length; $i++) {
$token .= $characters[mt_rand(0, strlen($characters)-1)];
}
He then hashes this token using a salt (I’m combing code from different functions)
sha1($this->CI->config->item('encryption_key').$str);
I was wondering if theres any reason to to run the token through the salted hash?
I’ve read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?
Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)
Salting a hash is used to decrease the possibility of collision and ensure that the hash can’t be found in a database (like this) – if everybody is using
md5()for storing their passwords, then a password file/database could be “de-hashed” by looking up the md5’d value of the password.Using a salt, there is an added unknown element to the hash which means the code for generating the salt must also be known to try and brute force the hash. In the context of generating a random password, I can’t see any point in salting the hash as the password data is random anyway.