PHP: crypt() function returns same string if base string has only slight variation
https://stackoverflow.com/questions/9522857
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm having an issue using crypt. I'm rebuilding a site for a client. So there's a lot of inherited code from the previous version. I have to keep the sites original database in tact, so I have to be careful what I change code-wise. The previous developer used the crypt() function to create a hash of user passwords for storage. The weird effect I'm seeing is that slight variations in the same password will sometimes create the exact same hash. I don't know much about how crypt works, but it seems to me that this shouldn't be happening. Here's some code to see as an example.
echo crypt('Colliedog6','wfd')."\n";
echo crypt('Colliedog10','wfd')."\n";
This returns the same hash string on my server. I'm using that salt string because that's what the previous developer used and all current passwords were made using that salt string so I really need to use it unless we want to force all users to reset the passwords. This isn't necessarily out of the question, but we would like to avoid it. Why would crypt take two slightly different strings like those above and create the same hash?
Solution
From the docs:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
OTHER TIPS
Because crypt() ignores characters past the 8th. As usual, reading the PHP manual/docs is a good starting point -- there are a lot of gotcha's like that in PHP: http://php.net/manual/en/function.crypt.php
