php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66874 Hashing gives same output for a specific string
Submitted: 2014-03-10 01:53 UTC Modified: 2014-03-10 02:10 UTC
From: amish dot mhatre dot 1993 at gmail dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 5.4.26 OS: Windows 7
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: amish dot mhatre dot 1993 at gmail dot com
New email:
PHP Version: OS:

 

 [2014-03-10 01:53 UTC] amish dot mhatre dot 1993 at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/function.crypt
---


Test script:
---------------
<?php

echo "Using Salt: tRySalTIng@free ";
echo "<br><br>";

$pwd="1234567890";
$ped=crypt($pwd,'tRySalTIng@free');
echo "1234567890: ".$ped."<br><br>";


$pwd="123456789123";
$ped=crypt($pwd,'tRySalTIng@free');
echo "123456789123: ".$ped."\n";


echo "<br><br>";
echo "<br><br>";


echo "Using Salt: BLA&ZE11005!@98 ";
echo "<br><br>";

$pwd="1234567890";
$ped=crypt($pwd,'BLA&ZE11005!@98');
echo "1234567890: ".$ped."<br><br>";

$pwd="123456789123";
$ped=crypt($pwd,'BLA&ZE11005!@98');
echo "123456789123: ".$ped."\n";



?>

Expected result:
----------------
Got following output:

Using Salt: tRySalTIng@free 

1234567890: tRIrkXjwVoQ4E

123456789123: tRIrkXjwVoQ4E 



Using Salt: BLA&ZE11005!@98 

1234567890: BLBaYGP/QWoPM

123456789123: BLBaYGP/QWoPM


Both gave same hashed values for above strings. Well try to checkout this bug asap because it is not at all safe regarding security point of view.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-10 02:02 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2014-03-10 02:02 UTC] requinix@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Your salt is triggering CRYPT_STD_DES, and as stated in the documentation:

> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).
 [2014-03-10 02:10 UTC] requinix@php.net
And while I'm here,

Don't try to do your own password hashing. Unless you're an expert in cryptography you will get something wrong, such as not use crypt() or the salts available to it correctly.
Use http://www.php.net/manual/en/book.password.php in PHP 5.5+ or https://github.com/ircmaxell/password_compat for earlier versions.
 [2014-03-10 02:57 UTC] amish dot mhatre dot 1993 at gmail dot com
@requinix@php.net:

thanks for info. Yes I went through documentation and got idea about the cryt() function.  

And thanks for the links. The function stated there meet to my requirements.
Thanks once again.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC