Usally we use mt_rand to create a random salt to use it with crypt(). But according to mt_rand manual page on php's site "not be used for cryptographic purposes[...]consider using openssl_random_pseudo_bytes() instead." Also, at crypt manual page on php's site, someone suggest to use the
mcrypt_create_iv
So, to test them, I took this crypt's wrapper and change the following line
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
//change it to
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", openssl_random_pseudo_bytes(63, $cstrong), 50);
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mcrypt_create_iv(63, MCRYPT_RAND), 50);
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_srand(), 1);
Then I commented all the lines except one and start running the code, to check each function. I refreshed my page and the validation works fine. But when I run openssl_random_pseudo_bytes or mcrypt_create_iv I see the same hash frequently.
$2y$08$$$$$$$$$$$$$$$$$$$$$$.UrC6Lo4LNk8iLmoi25KEoVzHHTK7tNC
I saw the above hash like 10 times.
When I use mt_srand the hash never changes at all.
I test the same functions in another, simpler wrapper, found here and they act the same as I described above.
I am a begginer with hashing and crypt. I'm confused, what should I actually use?
Using openssl_random_pseudo_bytes() is about the best you can do in php to get random bytes. I'm not sure what you're trying to do with the substr(), as openssl_random_pseudo_bytes() returns bytes, not an offset.
To clarify, you could use openssl_random_pseudo_bytes(64) on its own to generate a 64 byte salt.