The following code returns the same encrypted password whichever way round. Why and how do we stop this.
$pwd = 'shits8888';
$salt = '50153fc193af9';
echo crypt($pwd,$salt)
Obviously something is missing as this is returning the same thing
$pwd = 'shits8888hjhfgnsdkjf8744884';
$salt = '50153fc193af9';
echo crypt($pwd,$salt)
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
http://php.net/manual/en/function.crypt.php
If you want more control over the algorithm used for hash, I suggest you take a look at mcrypt.
Note also that crypt() (despite the name) does not actually encrypt a string, it just generates a hash. If you are specifying the salt, which you are presumably also storing somewhere, you might do better with something like this:
function my_crypt ($string, $salt) {
return sha1($string.$salt); // ...or your hashing function of choice
}
Referenced from the manual: The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
Both entries have got the same first 8 characters and the same salt. so it must return the same result.
For example:
echo crypt('12345678xxxxx','50153fc193af9');
echo crypt('12345678yyyyyy','50153fc193af9');
will both return 50gyRGMzn6mi6
because they share the same salt and the same first 8 characters
Every encryption algorithm has got a limit, even md5 gets repeated at some point.
