openssl_random_pseudo_bytes is used for cryptographical randomness where rnd() isn't suitable
$salt = openssl_random_pseudo_bytes(22);
$salt = substr(strtr(base64_encode($salt), array('_' => '.', '~' => '/')),0,22); //Sets length to 22 characters
