On Saturday, February 15, 2014 20:58:28 Petko Yotov wrote: > Hello. > > There was a known bug in some PHP versions when crypt() is used without a > "salt" parameter, see http://www.pmwiki.org/wiki/PITS/01277 . > > This was a bug, but from PHP 5.6 on there will be a "feature", and using > crypt() without a salt will raise E_NOTICE. See http://php.net/crypt . > > We are using crypt() without a salt to create hashes from passwords. > > Does anyone have a suggestion how to implement a random enough salt > parameter?
One suggestion I've seen for this is taking a long section of the value of Pi as a string, and using pieces of that as the salt. Perhaps taking a long section as a string, and choosing a piece based on the local time? [I'm only suggesting this because I'm making the assumption that a local source of "good" randomness such as /dev/urandom is not available. However from what I've read, what "good" randomness means even if this device exists differs depending on the system in question.] -- Chris -- Chris Knadle chris.kna...@coredump.us _______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel