Do I need to Salt and Hash a randomly generated token?
Posted
by wag2639
on Stack Overflow
See other posts from Stack Overflow
or by wag2639
Published on 2010-03-19T20:34:49Z
Indexed on
2010/03/19
20:51 UTC
Read the original article
Hit count: 226
saltedhash
I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel.
I came across a generate function that he uses to generate tokens.
His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string:
$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';
for ($i = 0; $i < $length; $i++) {
$token .= $characters[mt_rand(0, strlen($characters)-1)];
}
He then hashes this token using a salt (I'm combing code from different functions)
sha1($this->CI->config->item('encryption_key').$str);
I was wondering if theres any reason to to run the token through the salted hash?
I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?
Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)
© Stack Overflow or respective owner