PHP :: Bug #62134 :: Bcrypt Password Hashing ingores last salt character

Bug #62134	Bcrypt Password Hashing ingores last salt character
Submitted:	2012-05-24 08:52 UTC	Modified:	2012-07-02 05:26 UTC
From:	sebastian dot pleschko at icans-gmbh dot com	Assigned:
Status:	Not a bug	Package:	hash related
PHP Version:	5.3.13	OS:	Ubuntu 12.04
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 43 + 26 = ?
Subscribe to this entry?

[2012-05-24 08:52 UTC] sebastian dot pleschko at icans-gmbh dot com

Description:
------------
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last 
character is (partially) ignored and not appended to the salt in the encrypted 
password.

It seems that it is not a complete ingorance, however. Apparently the characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 



Test script:
---------------
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required but  ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-07-02 05:12 UTC] smt837784 at yahoo dot com

*** This is not a bug and the status should be changed ***

The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs "A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is going to be one of the following characters ".Oeu".

So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then "==" is removed.

[2012-07-02 05:26 UTC] rasmus@php.net

-Status: Open +Status: Not a bug

[2012-07-02 05:26 UTC] rasmus@php.net

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 04:01:28 2024 UTC