alright, so you guys have responded and im really appreciative.
you have me thinking now..
so what are the real issues here?
1. portability
2. security (obviously)
im wondering now if crypt() is really even so practical. especially
considering the deal where only 2 characters are prepended as the
salt.
in the article i referenced, what theyve done is written a function
that creates a password with a salt whereby the entire salt
will be used in the resultant hash (actually a definable portion thereof):
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
i must admit that i didnt realize they were not using crypt() in this
function.
i must have glazed over it :(
after all this discussion, im now mostly looking for a reason to use crypt()
rather than to implement a function such as the one above. it has the
advantage of a known, consistent algorithm, that will be used to generate
the hash, rather than one that could potentially change on a per system or
future release basis; and the salt isnt limited to 2 characters.
-nathan
