Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

(PHP) How to correctly implement crypt()

Tags:

php

crypt

Here is the example from the PHP manual page for crypt():

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

Why does this work? I take it 'mypassword' is the password I want the actual admin to use. So I crypt that first, and set it equal to $password. Obviously, I must need to store that in the DB. But in the next lines it's being used as both the salt and what I'm comparing to, and I don't understand how crypt($user_input, $password) can possibly be equal to $password, if in this latter case I have ideally the right password as $user_input but salted with $password being compared to $password. It would make more sense to me if the last line were

if (crypt($user_input) == $password) {
   echo "Password verified!";
}

What am I not understanding?

like image 675
Tony Stark Avatar asked Feb 10 '10 09:02

Tony Stark


1 Answers

crypt is a one-way function and returns a string that already contains the salt. The output is similar to what is stored in /etc/shadow.

Example from php.net:

<?php
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
?>

result: $1$K2D8DGwq$b05uO37aMwO4rnDlB9Rsi1
result: $1$aPBvu2y.$213YVEs8/5m.jMCXSScly/
result: $1$dW3Xu2p6$nuCtJe2zzlgBMLxN2oZCx/

When comparing the user input with the crypt result, the function automatically extracts the salt from the string.

like image 60
AndiDog Avatar answered Sep 20 '22 11:09

AndiDog