PHP - Need help with crypt function

  • natas
  • PHP Ninja
  • Proficient
  • natas
  • Posts: 308
  • Loc: AFK

Post 3+ Months Ago

Code: [ Select ]
    $password = "natas12345";
    $password = crypt($password,SALT);
    echo $password;
    $pass2 = "natas12346";
    $pass2 = crypt($pass2,SALT);
    echo $pass2;
  1.     $password = "natas12345";
  2.     $password = crypt($password,SALT);
  3.     echo $password;
  4.     $pass2 = "natas12346";
  5.     $pass2 = crypt($pass2,SALT);
  6.     echo $pass2;


SALT is a constant defined in another included file.

My problem is that $password and $pass2 are exactly the same value after encryption. This shouldn't be. What am I doing wrong?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

My thoughts are why use a two way crypt function instead of a one way like a md5 or sha1?
  • natas
  • PHP Ninja
  • Proficient
  • natas
  • Posts: 308
  • Loc: AFK

Post 3+ Months Ago

ScottG wrote:
My thoughts are why use a two way crypt function instead of a one way like a md5 or sha1?


I'm not using a 2 way crypt function.
  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

this was the example from php.net

PHP Code: [ Select ]
$password = crypt('natas12345'); // let the salt be automatically generated
 
/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt('natas12346', $password) == $password) {
   echo "Password verified! $password";
}
 
  1. $password = crypt('natas12345'); // let the salt be automatically generated
  2.  
  3. /* You should pass the entire results of crypt() as the salt for comparing a
  4.    password, to avoid problems when different hashing algorithms are used. (As
  5.    it says above, standard DES-based password hashing uses a 2-character salt,
  6.    but MD5-based hashing uses 12.) */
  7. if (crypt('natas12346', $password) == $password) {
  8.    echo "Password verified! $password";
  9. }
  10.  


this code will not trigger however this will

PHP Code: [ Select ]
$password = crypt('natas12345'); // let the salt be automatically generated
 
/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt('natas12345', $password) == $password) {
   echo "Password verified! $password";
}
 
  1. $password = crypt('natas12345'); // let the salt be automatically generated
  2.  
  3. /* You should pass the entire results of crypt() as the salt for comparing a
  4.    password, to avoid problems when different hashing algorithms are used. (As
  5.    it says above, standard DES-based password hashing uses a 2-character salt,
  6.    but MD5-based hashing uses 12.) */
  7. if (crypt('natas12345', $password) == $password) {
  8.    echo "Password verified! $password";
  9. }
  10.  
  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

It seems like more code than just storing an md5 of sha1 to compare against

like for example

PHP Code: [ Select ]
echo md5("natas12345") . '<br>';
echo md5("natas12346") . '<br>';
 
echo sha1("natas12345") . '<br>';
echo sha1("natas12346");
 
  1. echo md5("natas12345") . '<br>';
  2. echo md5("natas12346") . '<br>';
  3.  
  4. echo sha1("natas12345") . '<br>';
  5. echo sha1("natas12346");
  6.  
  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

However if you still want to use the crypt function you could try crypting the salt like the example shown above and below

PHP Code: [ Select ]
$salt = crypt('123456');
 
$password = "natas12345";
$password = crypt($password, $salt);
echo $password . '<br>';
$pass2 = "natas12346";
$pass2 = crypt($pass2, $salt);
echo $pass2;
 
  1. $salt = crypt('123456');
  2.  
  3. $password = "natas12345";
  4. $password = crypt($password, $salt);
  5. echo $password . '<br>';
  6. $pass2 = "natas12346";
  7. $pass2 = crypt($pass2, $salt);
  8. echo $pass2;
  9.  



This will give you different results
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

This can be read at php dot net:

Quote:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).


Basically you will need to change the first 8 char for the hash to be diffrent (if using the same hash, as I assume you do since its a defined constant). natas123 <-- one of those need to move back or be "replaced".

Try using your example code and hash batas123, the result will not be the same as you got when hashing natas12345 and natas12346? And you can also try with: natas12346avjkaefaenkfaenca, result shold remain the same as the original.

The best idea is ofc to use something that generates more uniquness, you don't want password1234 to be hackable by a guess such as: password.
  • natas
  • PHP Ninja
  • Proficient
  • natas
  • Posts: 308
  • Loc: AFK

Post 3+ Months Ago

WritingBadCode wrote:
Quote:
It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).


Thank you! That explains it. I can't believe I didn't read that.
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

natas wrote:
Thank you! That explains it. I can't believe I didn't read that.


It was easy to miss in that wall of text.. :)

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 130 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.