use Digest::MD5 qw(md5_hex);

my $salt = md5_hex( time().{}.rand().$$ );
[download]

That's certainly interesting, but it seems strange to go to those lengths to get a random number and then limit it to a hex string. Granted, I'm not exactly a cryptography expert, but don't you want the largest possible pool of characters?

If you are given these rules:
1. Your salt must be N characters long or shorter
2. N is a small integer

then, yes, you would want a big char set. That is not the case with salts, however. Heck, you could restrict yourself to two characters and still be arbitrarily uhm... arbitrary by making the string longer.

The incredibly-randomness and terribly-hard-to-guessness of a salt is not critical: it is going to be hashed again.

Disclaimer: I am not a crypto expert either. /me .oO(Come to think of it, I am not an expert in anything, really. That's not very good at age 34)

Cheers.

And there is a more elegant way, which is not very much different from what you do:

my $salt = pack "C10", map { int(256*rand()) } 0..9

If you want to stick to ASCII (2**70 is still a very large number), just change to constant to 128.

I thought about that, but I'd like to keep it as cross-platform as possible. I know nul on Windows is the equivalent of /dev/null, but is there a random equivalent?

No, there's no such device on Windows.