go to bug id or search bugs for
From manual page: http://www.php.net/intro.password
While using "crypt($password, $salt)" function for two different strings with same $salt, it returns same encrypted text.
$email = "email@example.com";
$password = "biswajit"; //use "biswajit123" and it gives same cipher
$salt = "1234";
$saltedPassword = crypt($password, $salt);
Add a Patch
Add a Pull Request
This is a hash. Hashes are expected to have collisions. However, nice finding.
/ Standard DES-based hash with a **two character salt**
from the alphabet "./0-9A-Za-z". /
/ password_hash() uses a strong hash, generates a strong salt,
and applies proper rounds automatically. password_hash() is
a simple crypt() wrapper and compatible with existing
password hashes. Use of password_hash() is encouraged. /
As @phpmpan said, by using "12" as the salt (the rest is irrelevant) you've selected the "standard DES-based hash", and
> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).
If you don't know what you're doing with crypt() then use the password hashing functions instead.