1

Why do the crypt values not match on Ubuntu PHP 5.3.6? On other systems, they match.

Sample code:

<?php

$password = '12345';

$saltString = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$salt = '_';
while (strlen($salt) < 9)
    $salt .= substr($saltString, rand(0, strlen($saltString)-1), 1);
$cryptedPassword = crypt($password, $salt);

printf("Password: %s\n", $password);
printf("Crypted Password: %s\n", $cryptedPassword);

$cryptCompare = crypt($password, $cryptedPassword);

printf("Crypted Password Comparison: %s\n", $cryptCompare);

?>

Password: 12345
Crypted Password: _8OixMoOTyONAZDOiHbs
Crypted Password Comparison: _8IK4dGYmlkVo
David Barnes
  • 2,138
  • 5
  • 19
  • 25

2 Answers2

1

I believe that crypt is supposed to return the salt value prepended to the front of the return value. In some implementations it is apparently only 2 bytes (you can check it with the constant CRYPT_SALT_LENGTH). From looking at the output printed in the OP, the similarity in the two "encrypted" strings is limited to the first two bytes. Perhaps the implementation is flawed and uses more than two bytes for the salt but only returns the first two bytes of the salt in the result. If so, that would explain the difference. You could test that by simply setting the salt length at 2.

Having said that, you might want to consider using a different hashing function. I know very little about PHP, but a bit of googling seems to indicate that crypt is obsolete and not very secure. For example, this is one such post.

Community
  • 1
  • 1
Mark Wilkins
  • 40,729
  • 5
  • 57
  • 110
0

Perhaps your system doesn't support your current hash type. Why not try a different hash type?
http://php.net/manual/en/function.crypt.php

Mortis
  • 59
  • 2
  • 6