I've read the new password_hash()
function from PHP uses /dev/urandom
to generate a secure salt, however this assumes some noise from device drivers.
Is possible that /dev/urandom
is not so random when in example deploying a website on a Virtual machine? (in example the same image of a operative system snapshot is runned and in reality what we get is just a "hash" of system time?) I am assuming that simulating the operative system is going to be deterministic (or more deterministic than) unlikely a system running on bare metal.
EDIT:
Is /dev/urandom
random enough to allow unpredictable salts to be generated on a Virtual Machine?
urandom
or the suitability ofurandom
for generating salts? Or are you asking how random a salt must be to remain secure? – schroeder Apr 28 '16 at 16:55urandom
for generating salts when running the system on a virtual machine (like many modern hosting services) wich is likely to be runned from a system image – CoffeDeveloper Apr 28 '16 at 16:59