As you can see the string to be encoded is different in script 1 and 2, but the output is still the same
And with script 3 and 4, both outputs are different.
So is there a maximum string limit when using crypt ? Any opinion on this ?
Edit: The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str , so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
Last edited by lonea; 07-26-2009 at 04:24 AM.
█VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers ~ Premium Hosting in Canada
Email Hosting | RTMP Hosting | FFMPEG Hosting
This of cause wouldn't be an issue when using salt, since its included "somewhere" in the hash, and hence it makes it impossible to guess where, unless you have the source code.
I would simply use md5, and then create my own function to store the salt. It doesn't matter that the string gets longer then normally, because potential attackers wouldn't know where in the string the hash is located.
With the crypt() function, the salt defines the type of encryption to use when hashing your password. Your salt does not match any of the four applicable salt formats (see http://php.net/crypt see the "Description" section for the four salt formats) and so is reverting to the default CRYPT_STD_DES type format (which only uses the first two characters of your salt) - and which only takes the first eight characters of your string so will produce the same output when using the same salt, as you said.
Use another salt format if you still want to use crypt; if you want to use another salt format, use a nine character salt for the EXT DES type, a prefix of $1$ for MD5 or $2$ for blowfish.
Alternatively, use another hashing method such as hash() if your PHP version allows it.