Different passwords generating same encryption using crypt() function

Question

I was using PHP's crypt() function to encrypt the password before storing into the database.Now if the password contains number then all passwords with same sub string generates the same encryption. For example all the below passwords generate the same encryption.

echo crypt('abcdefg123','mykey').'<br>';
echo crypt('abcdefg123','mykey').'<br>';
echo crypt('abcdefg123456','mykey').'<br>';

Encrypted password result is

myeWT99Ku6TaM

What am I doing wrong? or is it a bug?

Uses only first 8 characters to generate hash. Since first 8 characters in all the your inputs are same, you will get the same result. Also the generated hash will be < = 13 characters — Tushar Gupta, Sep 30 '15 at 10:49
I would also suggest you to check this for password hashing in php: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php — Night2, Sep 30 '15 at 10:51
`crypt()` does not provide [encryption](https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded), it provides password hashing. Password hashing is cryptography, but it is not encryption. — Scott Arciszewski, Sep 30 '15 at 14:02

Yeldar Kurmangaliyev · Answer 1 · 2015-09-30T10:57:45.040

2

crypt function takes salt as the second argument. salt has special formats described here.
You have provided a salt which is recognized as standard DES algorithm.

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

Provide the proper salt. For example, try this for MD5:

echo crypt('abcdefg123','$1$mykeyabcd$').'<br>';
echo crypt('abcdefg123','$1$mykeyabcd$').'<br>';
echo crypt('abcdefg123456','$1$mykeyabcd$').'<br>';

edited Sep 30 '15 at 10:57

answered Sep 30 '15 at 10:48

Yeldar Kurmangaliyev

33,467
12
59
101

First two produces the same result – Akhilesh Oct 01 '15 at 04:05
@user1690835 Of course, they do. The first two input strings are the same. – Yeldar Kurmangaliyev Oct 01 '15 at 04:35
Yeldar Kurmangaliyev ok. Sorry – Akhilesh Oct 01 '15 at 05:11

score 0 · Answer 2 · answered Sep 30 '15 at 10:49

I think it's because of salt. By default you propably use CRYPT_STD_DES hash type in crypt function and this type works with two character salt, but you use 5 character salt.

Using invalid characters in the salt will cause crypt() to fail. http://php.net/manual/ru/function.crypt.php

Different passwords generating same encryption using crypt() function

2 Answers2