I know this may be somewhat a common question, there are SO many articles across the net about generating secure salts for password hashing. So far I've picked up the mcrypt_create_iv is generally used for initialisation vectors for encryption, it can be used to create salt securely especially when used against MCRYPT_DEV_RANDOM.
For some reason despite people having success with it, whenever I use:
$Salt = mcrypt_create_iv(22, MCRYPT_DEV_RANDOM);
Apply it to the hash, then separately input it into the db. When coming back and authenticating and putting it all together... it never seems to work correctly.
Are there some characters that are generated by the mcrypt_create_iv function that aren't compatible with crypt? Because the second I use a somewhat plaintext salt whether generated from a secure source or not.. it works fine. But I would like to make use of the special characters mcrypt uses.
(Also, I am using the $6$ algorithm on crypt so only 16 bytes required for the salt)
Any help would be appreciated!
Thanks :)
I recommend using the password_hash() family of functions, as these will take care of the hashing for you completely. They also offer future-compatibility, and is generally the recommended method for handling passwords in PHP.
Read more about how to use them in this answer: https://stackoverflow.com/a/6337021/5086233
As for your original question: I suspect a charset issue somewhere, but without seeing the code (and table definition) that handles the hash it's impossible to tell.