public static method

Generates a cryptographically strong salt, using the best available method (tries Blowfish, then XDES, and fallbacks to MD5), for use in Password::hash().

Blowfish and XDES are adaptive hashing algorithms. MD5 is not. Adaptive hashing algorithms are designed in such a way that when computers get faster, you can tune the algorithm to be slower by increasing the number of hash iterations, without introducing incompatibility with existing passwords.

To pick an appropriate iteration count for adaptive algorithms, consider that the original DES crypt was designed to have the speed of 4 hashes per second on the hardware of that time. Slower than 4 hashes per second would probably dampen usability. Faster than 100 hashes per second is probably too fast. The defaults generate about 10 hashes per second using a dual-core 2.2GHz CPU.

Note 1: this salt generator is different from naive salt implementations (e.g. md5(microtime())) in that it uses all of the available bits of entropy for the supplied salt method.

Note2: this method should not be use to generate custom salts. Indeed, the resulting salts are prefixed with information expected by PHP's crypt(). To get an arbitrarily long, cryptographically strong salt consisting in random sequences of alpha numeric characters, use lithium\security\Random::generate() instead.


  • string $type

    The hash type. Optional. Defaults to the best available option. Supported values, along with their maximum password lengths, include:

    • 'bf': Blowfish (128 salt bits, max 72 chars)
    • 'xdes': XDES (24 salt bits, max 8 chars)
    • 'md5': MD5 (48 salt bits, unlimited length)
  • integer $count

    Optional. The base-2 logarithm of the iteration count, for adaptive algorithms. Defaults to:

    • 10 for Blowfish
    • 18 for XDES



The salt string.


	public static function salt($type = null, $count = null) {
		switch (true) {
			case CRYPT_BLOWFISH === 1 && (!$type || $type === 'bf'):
				return static::_generateSaltBf($count);
			case CRYPT_EXT_DES === 1 && (!$type || $type === 'xdes'):
				return static::_generateSaltXdes($count);
				return static::_generateSaltMd5();