Understanding crypt()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Understanding crypt()

Post by wyred »

I was reading the following article when I got confused.

Article: http://www.devshed.com/c/a/PHP/Using-th ... unction/2/

Firstly, the following password was stored in the database after encrypting:

Code: Select all

$pwrd = crypt(trim("$_POSTїpword]"));

//$pwrd will be stored into the database and $_POSTїpword] is the password from the registration form.
When verifying the password received from a login form with the one in the database:

Code: Select all

if(crypt($pwrd,$rowїpword]) == $rowїpword])

//Where $pwrd is the password from the login form, $rowїpword] is the crypted password from the database.
What I'm confused is, how is the encrypted password in the database, without a salt provided (first code), be the same as the encrypted password with a salt provided? (second code)
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

bump
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

The 'salt" is the password itself.
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

Ok, what I'm asking is, how is the following equation valid?

$pass = 'somepass';
$pass2 = 'somepass';

(crypt($pass2,crypt($pass)) == crypt($pass)) === true
ast3r3x
Forum Commoner
Posts: 95
Joined: Thu Aug 19, 2004 8:36 pm

Post by ast3r3x »

crypt uses a random salt if you don't provide one. So...
crypt($pass1) != crypt($pass1);

but if you wanted...
md5($pass1) == md5($pass1);

Now of course you want your files encrypted instead of just hashed with md5, so what I would suggest is using part of the password as the salt

crypt($pass1, substr($pass1, 2));

That way it'll be the same every time and only if the password is right will it work. Hope that helps...and I hope I didn't lie to you about anything because I'm not a genius.
ast3r3x
Forum Commoner
Posts: 95
Joined: Thu Aug 19, 2004 8:36 pm

Post by ast3r3x »

I didn't answer your question. Sorry.
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
and
If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function repeatedly, this may impact both appearance and security.
(from http://us2.php.net/manual/en/function.crypt.php)

I think means that this:
$pass = 'somepass';
$pass2 = 'somepass';

(crypt($pass2,crypt($pass)) == crypt($pass)) === true
should work fine
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

I get it now, thanks. :)
Post Reply