Do I need to Salt and Hash a randomly generated token?

Question

I'm using Adam Griffiths's Authentication Library for CodeIgniter and I'm tweaking the usermodel.

I came across a generate function that he uses to generate tokens.

His preferred approach is to reference a value from random.org but I considered that superfluous. I'm using his fall back approach of randomly generating a 20 character long string:

$length = 20;
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token = '';    
for ($i = 0; $i < $length; $i++) {
 $token .= $characters[mt_rand(0, strlen($characters)-1)];
}

He then hashes this token using a salt (I'm combing code from different functions)

sha1($this->CI->config->item('encryption_key').$str);

I was wondering if theres any reason to to run the token through the salted hash?

I've read that simply randomly generating strings was a naive way of making random passwords but is the sh1 hash and salt necessary?

Note: I got my encryption_key from https://www.grc.com/passwords.htm (63 random alpha-numeric)

Answer 1

Salting a hash is used to decrease the possibility of collision and ensure that the hash can't be found in a database (like this) - if everybody is using md5() for storing their passwords, then a password file/database could be "de-hashed" by looking up the md5'd value of the password.

Using a salt, there is an added unknown element to the hash which means the code for generating the salt must also be known to try and brute force the hash. In the context of generating a random password, I can't see any point in salting the hash as the password data is random anyway.

Answer 2

Main reason for salting hash functions is to complicate dictionary attacks. And salting avoids discovery of same passwords, since they would produce the same hash.

Another use of hash functions is in pseudo-random number generators - where your code is trying to do.

True randomness is not an easy thing to achieve, and pseudo-random generation can be tricky. The code you explained seems to be trying to get the 'best' randomness from random.org and it's fall-back pseudo generation is trying to do the right thing.