[pmwiki-devel] PHP 5.6 crypt() without salt raises E_NOTICE
Chris Knadle
Chris.Knadle at coredump.us
Tue Feb 18 11:15:07 CST 2014
On Saturday, February 15, 2014 20:58:28 Petko Yotov wrote:
> Hello.
>
> There was a known bug in some PHP versions when crypt() is used without a
> "salt" parameter, see http://www.pmwiki.org/wiki/PITS/01277 .
>
> This was a bug, but from PHP 5.6 on there will be a "feature", and using
> crypt() without a salt will raise E_NOTICE. See http://php.net/crypt .
>
> We are using crypt() without a salt to create hashes from passwords.
>
> Does anyone have a suggestion how to implement a random enough salt
> parameter?
One suggestion I've seen for this is taking a long section of the value of Pi
as a string, and using pieces of that as the salt. Perhaps taking a long
section as a string, and choosing a piece based on the local time?
[I'm only suggesting this because I'm making the assumption that a local
source of "good" randomness such as /dev/urandom is not available. However
from what I've read, what "good" randomness means even if this device exists
differs depending on the system in question.]
-- Chris
--
Chris Knadle
Chris.Knadle at coredump.us
More information about the pmwiki-devel
mailing list