سؤال

If i use crypt() to hash a password:

$password = "my_password_12345";
$salt = base64_encode(openssl_random_pseudo_bytes(64, $cstrong));
$crypt = crypt($password, $salt);

I get something like this

echo $crypt; //AG6hHvhjwnqpc

So, when I check for the hash I do this and all work fine

echo crypt($password, $crypt); //AG6hHvhjwnqpc

But why the following happens? I do the same check as above but with a password similar to the previous one and I get the same hash.

$password = "my_password_12345_not!";
echo crypt($password, $crypt); //AG6hHvhjwnqpc

I would expect a different hash, but instead I'm getting the same

هل كانت مفيدة؟

المحلول

In PHP, the crypt function use only the 8 first characters :

Extract from the documentation:

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top