PHP :: Bug #62134 :: Bcrypt Password Hashing ingores last salt character

Bug #62134	Bcrypt Password Hashing ingores last salt character
Submitted:	2012-05-24 08:52 UTC	Modified:	2012-07-02 05:26 UTC
From:	sebastian dot pleschko at icans-gmbh dot com	Assigned:
Status:	Not a bug	Package:	hash related
PHP Version:	5.3.13	OS:	Ubuntu 12.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	sebastian dot pleschko at icans-gmbh dot com
New email:
PHP Version:		OS:

New Comment:

[2012-05-24 08:52 UTC] sebastian dot pleschko at icans-gmbh dot com

Description:
------------
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last 
character is (partially) ignored and not appended to the salt in the encrypted 
password.

It seems that it is not a complete ingorance, however. Apparently the characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 



Test script:
---------------
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required but  ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-02 05:12 UTC] smt837784 at yahoo dot com

*** This is not a bug and the status should be changed ***

The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs "A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is going to be one of the following characters ".Oeu".

So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then "==" is removed.

[2012-07-02 05:26 UTC] rasmus@php.net

-Status: Open +Status: Not a bug

[2012-07-02 05:26 UTC] rasmus@php.net

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 13:01:29 2024 UTC