TLDR: It's a bit interesting, but doesn't matter at all.
Does it matter, though? As @RemcoGerlich commented, it's pretty much only a question of encoding. It will effectively fix some bits of the salt to zero, but it doesn't really matterit's likely that this will have no significant effect in this case, since the origin of all those bits is athis call to srandom in seedRNG:
WhichThis is a variant of ye olde custom of seeding an RNG with the current time. (tv_sec and tv_usec are the seconds and microseconds of the current time, getpid() gives the process id if the running process.)
As the time and PIDs are not very unpredictable, the amount of randomness here is likely not larger than what the encoding can hold.
That'sThe time and PID is not something you'd like to create keys with, but might be unpredictable enough for salts. Salts salts only need to be distinct: they are usedmust be distinct to prevent brute-force testing multiple password hashes with a single calculation (and preventing pre-calculation like rainbow tables). See e.g. this answer on Stack Overflow, but the Wikipedia articleshould also be unpredictable, andto prevent or slow down targeted precomputation, which could be used to shorten the answerstime from getting the password hashes to this question on security.SEgetting the actual passwords.
AsEven with the slight issues, as long as the algorithm doesn't generate the same salt for different passwords, we'reit should be fine. And it doesn't seem to, even when generating a couple dozen in a loop, as the list in the question shows.
Even a running counter with a site-specific fixed string to make it globally unique should be an adequate salt, though a bit unwieldy to use since it would require persistent storage for the counter.
Also, the code in question isn't used for anything but generating salts for passwords, so there are no implications about problems elsewhere.
For salts, see also, e.g. this on Stack Overflow and this on security.SE.
