I was here yesterday and got some really great answers. I took what I got and put together, what I think will be a fairly secure algorithm. I'm having a problem using blowfish with a for loop that generates the salt.
I'm using base64 characters and a for loop to get a random string. I want to take this generated string and insert it into the crypt function as the salt.
Because the documentation about blowfish is so sparse and the PHP docs don't really even mention it, I'm sort of stabbing in the dark here.
The really strange thing is if you run this code the way it is now, it will not fail. Remove either the '$2a$07$' from above the for loop or from the crypt function and it will intermittently return an encrypted string. My understanding of blowfish is that the encrypted string must begin with '$2a$07$' and end in "$' hence the concatenation in the crypt function. I really don't need the beginning string above the for loop and just wanted to get rid of it.
I also would like clarification about the best practice on storing the random salt, either in the database or by storing the output of the crypt function in the database?
Yesterday, there was no real code being thrown around, just discussion. I'd like to put some code together today and have something that is fairly secure in place. If anyone can come up with a better algorithm, I'm always open.
$base64 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
$salt = '$2a$07$';
for($i=0; $i<60; $i++)
{
$salt .= $base64[rand(0,63)];
}
return crypt('password', '$2a$07$'.$salt.'$');