Hello, I just used the crypt command on 'password' and 'password1' and got identical output!! What are the rules concerning the crypt function? Am I not allowed to use numbers? EXACTLY what am I allowed to use? Many thanks in advance.

According to this comment on php.net , certain situations will cause crypt() to only look at the first eight characters.

For example, in this situation, they seem to return the same thing and only compare the first eight characters...

<?php
echo crypt('password', 'blablabla');
echo crypt('password1', 'blablabla');
?>

One way to this doesn't happen is to use a md5 hash as the encryption salt. For example, this will automatically generate an md5 hash for the salt, and use that for the encryption (at least the way my server is set up).

<?php
$cypher = crypt( time() );
echo crypt('password', $cypher);
echo crypt('password1', $cypher);
?>

That will return two different strings like it is supposed to.

Random question... why use crypt? Why not just check the md5 hash of the password (saved in the db) against the md5 hash of the user input?

- Walkere

Thanks for your reply. If use $cypher = crypt( time() ) as my salt, I would have to remember the value generated by time(). This will allow me check their password during login. Am I right? I am working on an existing site. I myself don't know why crypt was used.

Yes... and no.

Take a look at the output of this snippet.

$cypher = crypt ( time() );
echo $cypher . '';
echo crypt('password', $cypher) . '';
echo crypt('password1', $cypher) . '';

$1$wq9DJoxw$BXWWXppH8uBry2NKaD3uF.
$1$wq9DJoxw$NuwqVpY4.7rcmllLROImH.
$1$wq9DJoxw$G.a0Gd1vbp4SAaQcCxj3c.

Notice how the first 11 characters of each line ($cypher, the crypt of 'password', and the crypt of 'password1') are all the same?

When you make the initial crypt() call, it automatically generates a salt for you. On my server, that automatically generated salt is based on an md5 hash - and is formatted as $1$xxxxxxxx$.

The crypt function always pre-pends the salt used to the output. So when you later encrypt 'password,' you're saving the salt inside that encryption. So you don't have to save the $cypher variable we created, you just need to save the outcome of crypt('password', $cypher) and use that as your new salt.

Like this example...

$cypher = crypt ( time() );
$password = crypt('password', $cypher);

if (crypt('password', $password) == $password)
	echo "Match!";
else
	echo "No match!";

So when you initially encrypt 'password,' you can use any md5 hash salt - including a random one based on time. Just save the encrypted password, and that includes the salt that you're using to compare with.

You could also create your own md5 hash salt instead of using time(). Just format it like the output above - $1$ + 8 chars + $. But the point is that it needs to be this type of salt for crypt to use more than 8 characters of the password.

So the way I would do it...

Randomly generate a salt and save it in the password:

$password = crypt($original_password, crypt ( time () ) );

Retrieve the encrypted $password from the DB and check:

if (crypt($input_password, $password) == $password)
  { // Log in }

- Walkere