php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70444 Produces same cipher for different string with same salt
Submitted: 2015-09-07 09:21 UTC Modified: 2015-09-07 09:47 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sunshine dot cst dot 07 at gmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.5.29 OS: Windows 7 Enterprise - 64bit
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sunshine dot cst dot 07 at gmail dot com
New email:
PHP Version: OS:

 

 [2015-09-07 09:21 UTC] sunshine dot cst dot 07 at gmail dot com 
Description:
------------
---
From manual page: http://www.php.net/intro.password
---
While using "crypt($password, $salt)" function for two different strings with same $salt, it returns same encrypted text.

Test script:
---------------
$email = "bforbiswajit@outlook.com";
$password = "biswajit";   //use "biswajit123" and it gives same cipher
$salt = "1234";
$saltedPassword = crypt($password, $salt);
echo $saltedPassword;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-07 09:40 UTC] phpmpan at mpan dot pl 
This is a hash. Hashes are expected to have collisions. However, nice finding.

Also:
    / Standard DES-based hash with a **two character salt**
      from the alphabet "./0-9A-Za-z". /
    / password_hash() uses a strong hash, generates a strong salt,
      and applies proper rounds automatically. password_hash() is
      a simple crypt() wrapper and compatible with existing
      password hashes. Use of password_hash() is encouraged. /
      -- <https://secure.php.net/manual/en/function.crypt.php>
 [2015-09-07 09:47 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2015-09-07 09:47 UTC] requinix@php.net 
As @phpmpan said, by using "12" as the salt (the rest is irrelevant) you've selected the "standard DES-based hash", and
> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).

If you don't know what you're doing with crypt() then use the password hashing functions instead.
http://php.net/manual/en/ref.password.php
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Feb 05 16:01:30 2025 UTC