What I thought would be a 10 minute job to migrate a few lines of code of PHP to Go turned into a 8 hour marathon of thought and discovery. I needed to move our password hash checking code.
This is really a story about how PHP’s
crypt() works (or doesn’t) and why it’s never a good idea to try and generate your own cryptographically secure salts.
You may find this useful if you also need to deal with hashing passwords (granted, there are a lot of other better ways to do this) or you just feel like a few “What the!? Ah ha!” moments.
If the code comment is doing it’s job I shouldn’t need to explain any further…
Originally published at http://elliot.land on July 25, 2018.