php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70444 Produces same cipher for different string with same salt
Submitted: 2015-09-07 09:21 UTC Modified: 2015-09-07 09:47 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sunshine dot cst dot 07 at gmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.5.29 OS: Windows 7 Enterprise - 64bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sunshine dot cst dot 07 at gmail dot com
New email:
PHP Version: OS:

 

 [2015-09-07 09:21 UTC] sunshine dot cst dot 07 at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/intro.password
---
While using "crypt($password, $salt)" function for two different strings with same $salt, it returns same encrypted text.

Test script:
---------------
$email = "bforbiswajit@outlook.com";
$password = "biswajit";   //use "biswajit123" and it gives same cipher
$salt = "1234";
$saltedPassword = crypt($password, $salt);
echo $saltedPassword;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-07 09:40 UTC] phpmpan at mpan dot pl
This is a hash. Hashes are expected to have collisions. However, nice finding.

Also:
    / Standard DES-based hash with a **two character salt**
      from the alphabet "./0-9A-Za-z". /
    / password_hash() uses a strong hash, generates a strong salt,
      and applies proper rounds automatically. password_hash() is
      a simple crypt() wrapper and compatible with existing
      password hashes. Use of password_hash() is encouraged. /
      -- <https://secure.php.net/manual/en/function.crypt.php>
 [2015-09-07 09:47 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2015-09-07 09:47 UTC] requinix@php.net
As @phpmpan said, by using "12" as the salt (the rest is irrelevant) you've selected the "standard DES-based hash", and
> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).

If you don't know what you're doing with crypt() then use the password hashing functions instead.
http://php.net/manual/en/ref.password.php
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Oct 17 11:01:25 2018 UTC