|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70444 Produces same cipher for different string with same salt
Submitted: 2015-09-07 09:21 UTC Modified: 2015-09-07 09:47 UTC
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: sunshine dot cst dot 07 at gmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 5.5.29 OS: Windows 7 Enterprise - 64bit
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: sunshine dot cst dot 07 at gmail dot com
New email:
PHP Version: OS:


 [2015-09-07 09:21 UTC] sunshine dot cst dot 07 at gmail dot com
From manual page:
While using "crypt($password, $salt)" function for two different strings with same $salt, it returns same encrypted text.

Test script:
$email = "";
$password = "biswajit";   //use "biswajit123" and it gives same cipher
$salt = "1234";
$saltedPassword = crypt($password, $salt);
echo $saltedPassword;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-07 09:40 UTC] phpmpan at mpan dot pl
This is a hash. Hashes are expected to have collisions. However, nice finding.

    / Standard DES-based hash with a **two character salt**
      from the alphabet "./0-9A-Za-z". /
    / password_hash() uses a strong hash, generates a strong salt,
      and applies proper rounds automatically. password_hash() is
      a simple crypt() wrapper and compatible with existing
      password hashes. Use of password_hash() is encouraged. /
      -- <>
 [2015-09-07 09:47 UTC]
-Status: Open +Status: Not a bug
 [2015-09-07 09:47 UTC]
As @phpmpan said, by using "12" as the salt (the rest is irrelevant) you've selected the "standard DES-based hash", and
> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).

If you don't know what you're doing with crypt() then use the password hashing functions instead.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Aug 10 16:01:23 2020 UTC