I have a quick question for you guys:
I am tinkering with PHP (I am relatively inexperienced), and am interested in developing a secure password hashing system for use on my site. Through other articles and questions on SO, I have surmised that I should be using PHP's crypt() function for an implementation of BSD's bcrypt hashing algorithm.
My question to you pertains to the fact that, when I feed the function an initialization vector or password, inputs that are not base64 seem to return a "0" as the hash. Here is what I have implemented to work around this issue:
$salt = base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
and
$password = base64_encode($password);
Is there a danger of collisions or otherwise decreased security when I change the encodings like this?
My idea was that I would like to allow users to use any range of characters for their passwords (I will enforce a good password policy) without having to worry about my hash function returning an empty hash.
Is there a more simple or elegant way to do this? Should I perhaps be using a hash function that doesn't restrict my salt and password as much?
Thanks in advance for any help you can give me.
Encoding it under base64 does not increase the chance of collision as it is simply a 1-to-1 translation. It does not reduce the password haystack whatsoever.