How to Dynamically Generate Salt Templates for Multiple Algorithms Using PHP's crypt Function?

M66 2025-06-11

In PHP, the crypt function is a classic method for password hashing. It supports multiple encryption algorithms such as DES, MD5, Blowfish, SHA-256, and SHA-512. Using a proper salt not only strengthens password security but also controls the complexity of the encryption algorithm and hashing.

This article will explain in detail how to dynamically generate salt templates suitable for various algorithms, allowing you to flexibly specify the algorithm and salt value when using the crypt function.

Basic Usage of the crypt Function

$password = 'mypassword';
$salt = '$6$rounds=5000$usesomesillystring$';  // Example salt for SHA-512
$hash = crypt($password, $salt);
echo $hash;

In the example above, $6$ indicates the use of the SHA-512 algorithm, rounds=5000 specifies the number of encryption iterations, and the following string is the main part of the salt.

Salt Formats for Different Algorithms

Algorithm	Salt Prefix	Salt Length and Description
DES	No prefix	2-character salt
MD5	$1$	8-character salt
Blowfish	$2a$ or $2y$	22-character salt (including version and cost parameter)
SHA-256	$5$	Optional rounds parameter, salt up to 16 characters
SHA-512	$6$	Optional rounds parameter, salt up to 16 characters

With this knowledge, we can dynamically generate the appropriate salt templates based on the algorithm.

Example Function to Dynamically Generate Salt Templates

Below is a PHP function example that generates a corresponding salt template based on the input algorithm name:

function generateSalt($algorithm = 'sha512', $rounds = 5000) {
    // Function to generate random salt body, length adjusted according to algorithm limits
    function randomSalt($length) {
        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./';
        $salt = '';
        for ($i = 0; $i < $length; $i++) {
            $salt .= $chars[random_int(0, strlen($chars) - 1)];
        }
        return $salt;
    }
    case 'des':
        // DES salt only takes first 2 characters
        return substr(randomSalt(2), 0, 2);

    case 'md5':
        // MD5 salt format $1$salt$
        return '$1$' . randomSalt(8) . '$';

    case 'blowfish':
        // Blowfish format $2y$cost$22charsalt
        $cost = 10;  // 2-digit number, recommended between 04 and 31
        $costStr = str_pad($cost, 2, '0', STR_PAD_LEFT);
        return '$2y$' . $costStr . '$' . randomSalt(22);

    case 'sha256':
        // SHA-256 format $5$rounds=xxxx$salt$
        return '$5$rounds=' . intval($rounds) . '$' . randomSalt(16) . '$';

    case 'sha512':
    default:
        // SHA-512 format $6$rounds=xxxx$salt$
        return '$6$rounds=' . intval($rounds) . '$' . randomSalt(16) . '$';
}

}

Usage Example

$password = 'my_secret_password';
<p>// Select algorithm<br>
$algorithm = 'blowfish';</p>
<p>// Generate corresponding salt template<br>
$salt = generateSalt($algorithm);</p>
<p>// Generate hash<br>
$hash = crypt($password, $salt);</p>
<p>echo "Algorithm: {$algorithm}\n";<br>
echo "Salt template: {$salt}\n";<br>
echo "Generated hash: {$hash}\n";<br>

This method allows you to flexibly control the algorithm and salt parameters used during password encryption, enhancing security.

Additional Recommendations

For safer password hashing, consider using PHP’s built-in password_hash and password_verify functions. These functions encapsulate underlying complexities, default to strong algorithms, and handle salts automatically.
Avoid manually concatenating parameters in the salt string; instead, use reliable random number generators like random_int.
Regularly adjust the rounds (iteration count) based on security needs to improve resistance against brute-force attacks.