Do I need to Salt and Hash a randomly generated token?

Posted by wag2639 on Stack Overflow See other posts from Stack Overflow or by wag2639
Published on 2010-03-19T20:34:49Z Indexed on 2010/03/19 20:51 UTC
Read the original article Hit count: 226

Filed under:

I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel.

I came across a generate function that he uses to generate tokens.

His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string:

$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';    
for ($i = 0; $i < $length; $i++) {
 $token .= $characters[mt_rand(0, strlen($characters)-1)];
}

He then hashes this token using a salt (I'm combing code from different functions)

sha1($this->CI->config->item('encryption_key').$str);

I was wondering if theres any reason to to run the token through the salted hash?

I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?

Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)

© Stack Overflow or respective owner

Related posts about saltedhash