3

I'm checking out the PHPass Library that has been recommended in a lot of answers here on SO. But when I look at the generated passwords, I see something like this:

enter image description here

Now some of these are just 1234, some are a bit more complex. Some are really complex (uppercase, lowercase, characters) etc. But still, I keep seeing that the first 7 characters are always same, no matter what the password is. Isn't this making it easy to guess? I don't know much about rainbow or dictionary attacks, but this looks weird. Is this usual? Is this a bug? Is the framework good enough to use in production environments?

DS.
  • 2,846
  • 4
  • 30
  • 35

1 Answers1

2

This first characters are just "description" of hashing method. Thanks to that you'll be able to recognize and reuse that method to check password. Even on different server or after changing method of hashing new password (old still will be recognized).

You can read about this prefix and new one here http://www.php.net/security/crypt_blowfish.php

Elon Than
  • 9,603
  • 4
  • 27
  • 37
  • Do you mean the algorithm used? If that's the case, why need 7 characters to denote just that? Wouldn't a single character or something like $b$ achieve that? – DS. Oct 14 '13 at 02:20
  • @DS. Maybe it will be enough but not for blowfish case, because it needs also `cost` parameter which is between second and third `$`. – Elon Than Oct 14 '13 at 02:22
  • Thanks for the link. I was googling the irrelevant stuff. I'll also leave this link here for anyone curious about that `cost` mention. http://php.net/manual/en/function.crypt.php – DS. Oct 14 '13 at 02:28