php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70444 Produces same cipher for different string with same salt
Submitted: 2015-09-07 09:21 UTC Modified: 2015-09-07 09:47 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sunshine dot cst dot 07 at gmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.5.29 OS: Windows 7 Enterprise - 64bit
Private report: No CVE-ID: None
 [2015-09-07 09:21 UTC] sunshine dot cst dot 07 at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/intro.password
---
While using "crypt($password, $salt)" function for two different strings with same $salt, it returns same encrypted text.

Test script:
---------------
$email = "bforbiswajit@outlook.com";
$password = "biswajit";   //use "biswajit123" and it gives same cipher
$salt = "1234";
$saltedPassword = crypt($password, $salt);
echo $saltedPassword;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-07 09:40 UTC] phpmpan at mpan dot pl
This is a hash. Hashes are expected to have collisions. However, nice finding.

Also:
    / Standard DES-based hash with a **two character salt**
      from the alphabet "./0-9A-Za-z". /
    / password_hash() uses a strong hash, generates a strong salt,
      and applies proper rounds automatically. password_hash() is
      a simple crypt() wrapper and compatible with existing
      password hashes. Use of password_hash() is encouraged. /
      -- <https://secure.php.net/manual/en/function.crypt.php>
 [2015-09-07 09:47 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2015-09-07 09:47 UTC] requinix@php.net
As @phpmpan said, by using "12" as the salt (the rest is irrelevant) you've selected the "standard DES-based hash", and
> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).

If you don't know what you're doing with crypt() then use the password hashing functions instead.
http://php.net/manual/en/ref.password.php
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Jun 22 17:01:44 2018 UTC