|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62134 Bcrypt Password Hashing ingores last salt character
Submitted: 2012-05-24 08:52 UTC Modified: 2012-07-02 05:26 UTC
From: sebastian dot pleschko at icans-gmbh dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 5.3.13 OS: Ubuntu 12.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: sebastian dot pleschko at icans-gmbh dot com
New email:
PHP Version: OS:


 [2012-05-24 08:52 UTC] sebastian dot pleschko at icans-gmbh dot com
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last 
character is (partially) ignored and not appended to the salt in the encrypted 

It seems that it is not a complete ingorance, however. Apparently the characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 

Test script:
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required but  ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-02 05:12 UTC] smt837784 at yahoo dot com
*** This is not a bug and the status should be changed ***

The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs "A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is going to be one of the following characters ".Oeu".

So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then "==" is removed.
 [2012-07-02 05:26 UTC]
-Status: Open +Status: Not a bug
 [2012-07-02 05:26 UTC]
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Feb 05 17:04:43 2023 UTC