PHP crypt problems

Question

A quick and dirty experiment.

I put this code into a .php file and loaded it from my web host.

The result was "It works!" but.. why? Should it have failed? I was following Example #1 from here: http://php.net/manual/en/function.crypt.php

<?php
$pass1 = "thetimeshallwhintercows";
$salt = "temperpedic";

$crypt_pass = crypt($pass1, $salt);

if($crypt_pass == crypt("thetimeshallwhintercowz", $crypt_pass))
{
    print("It works!<br/>");
    print( $crypt_pass  );
    print("<br/>");
    print(crypt("thetimeshallwhintercowz", $crypt_pass));
}
else
{
    print("try again....");
}

?>

Example #1 [on that page states](http://php.net/manual/en/function.crypt.php) (as a comment in the code) `// let the salt be automatically generated`. If you were to use (add) `$user_input = "mypassword";` from that very same page and then modify it to be `$user_input = "mypassword2";` you will see that it will in fact work as intended. — Funk Forty Niner, Dec 17 '13 at 02:55
[Rezigned's answer](http://stackoverflow.com/a/20625155/1415724) makes a lot of sense, and is "right on the money". Your first 8 characters should not be the same. — Funk Forty Niner, Dec 17 '13 at 03:11

score 3 · Accepted Answer · edited May 23 '17 at 11:49

You should have a look at this answer to a similar question. the crypt() function requires that you have a correctly formatted salt. While temperpedic is a valid salt (sort of) it's not really a correctly formatted salt.

If you have a look at the PHP documentation for the crypt() function there are a few examples of using crypt() with different hash types. Have a look at these examples.

Remember, with crypt for modern web applications, you should be using at least SHA-256.

<?php
$pass1 = "thetimeshallwhintercows";
$salt = "temperpedic";

echo 'SHA-256:      ' . crypt($pass1, '$5$rounds=5000$' . $salt . '$') . "\n";
echo 'SHA-256:      ' . crypt($pass1, '$5$rounds=5000$' . $salt . 'extra$') . "\n";
echo 'SHA-256:      ' . crypt($pass1, '$5$rounds=5000$' . $salt . 'evenextra$') . "\n";

?>

tim@roflcopter /tmp $ php lol.php
SHA-256:      $5$rounds=5000$temperpedic$4g0qFd4Oqr/O.8aZMPiyrO9x5VUaQt14eXPOMr5asK2
SHA-256:      $5$rounds=5000$temperpedicextra$3BF4dmqrCBuY2UtQpuhxXm4t4KGp1M9OoJPrskM490/
SHA-256:      $5$rounds=5000$temperpedicevene$jBsGNFGSAbuL8hdcXsZjHRrH6u4qnXb1bAJ.TOR32A2

score 1 · Answer 2 · answered Dec 17 '13 at 03:06

To explain this, take a look at this doc

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

When there's no correct salt specified(in your case) it will use DES based crypt function. From your example

$pass1 = "thetimeshallwhintercows";
$salt  = "temperpedic";

crypt($pass1, $salt); // returns teTHe69uKVFMw

Did you notice that the first 2 of chars of output is identical to the first 2 chars of salt i.e. te

An important part is "It also only uses the first eight characters of input". That is why you get the same output even the $pass1 and $pass2 aren't the same. If you want a different result the first 8 characters shouldn't be the same

$pass1 = 'thetimeshallwhintercowz';
$pass2 = 'thetimeshallwhintercows';

// crypt only uses first 8 chars so 'thetimes' so it basically do this
crypt('thetimes', 'temperpedic');

// That explains why you get the same result

You have a point there. Definitely worth a `+1` on my part - I tested your theory, and you're bang on. — Funk Forty Niner, Dec 17 '13 at 03:10

score 0 · Answer 3 · answered Dec 17 '13 at 02:35

I ran your code and I got:

It works!
teTHe69uKVFMw
teTHe69uKVFMw

All see ok, "It works!" is part of your example code at line 9.

I think, that if you only get "It works" it's because you're accessing to http://yourhost/, if you want to run your specific script, you need to specify this explicitly in the url http://yourhost/yourscript.php

PHP crypt problems

3 Answers3