Question
If i use crypt() to hash a password:
https://stackoverflow.com/questions/22662262
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$password = "my_password_12345";
$salt = base64_encode(openssl_random_pseudo_bytes(64, $cstrong));
$crypt = crypt($password, $salt);
I get something like this
echo $crypt; //AG6hHvhjwnqpc
So, when I check for the hash I do this and all work fine
echo crypt($password, $crypt); //AG6hHvhjwnqpc
But why the following happens? I do the same check as above but with a password similar to the previous one and I get the same hash.
$password = "my_password_12345_not!";
echo crypt($password, $crypt); //AG6hHvhjwnqpc
I would expect a different hash, but instead I'm getting the same
La solution
In PHP, the crypt function use only the 8 first characters :
Extract from the documentation:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
