|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62134 Bcrypt Password Hashing ingores last salt character
Submitted: 2012-05-24 08:52 UTC Modified: 2012-07-02 05:26 UTC
From: sebastian dot pleschko at icans-gmbh dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 5.3.13 OS: Ubuntu 12.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
37 + 40 = ?
Subscribe to this entry?

 [2012-05-24 08:52 UTC] sebastian dot pleschko at icans-gmbh dot com
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last 
character is (partially) ignored and not appended to the salt in the encrypted 

It seems that it is not a complete ingorance, however. Apparently the characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 

Test script:
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required but  ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-02 05:12 UTC] smt837784 at yahoo dot com
*** This is not a bug and the status should be changed ***

The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs "A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is going to be one of the following characters ".Oeu".

So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then "==" is removed.
 [2012-07-02 05:26 UTC]
-Status: Open +Status: Not a bug
 [2012-07-02 05:26 UTC]
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Mar 20 17:03:40 2023 UTC