Menu
what's the output length of PHP crypt()?
md5() output is 128 bits and produce a string with 32 chars, so in data base you put that in a char(32) column, what about the crypt()?
304
The crypt() function returns a hashed string using DES, Blowfish, or MD5 algorithms. This function behaves different on different operating systems. PHP checks what algorithms are available and what algorithms to use when it is installed.
In short: yes, that value is absolutely safe to store in a database. Save this answer. Show activity on this post. The hash generated by crypt() is specifically intended to be stored.
Encoding PasswordsThe crypt() function generates an encoded version of each password. The first call to crypt() produces an encoded version of the old password; that encoded password is then compared to the password stored in the user database. The second call to crypt() encodes the new password before it is stored.
What is a salt? A cryptographic salt is data which is applied during the hashing process in order to eliminate the possibility of the output being looked up in a list of pre-calculated pairs of hashes and their input, known as a rainbow table.
Note: It is totally limited to ask the question that way, see http://php.net/crypt
Some more details:
crypt always returns the hashed string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure.Examples:
Lets start lightly with a simple crypt call and a valid two-character salt for a standard DES-based hash:
13 :: 2 (salt) + 11 (hash - 64 bits, base 64)
If you use PHP's crypt and specificly MD5 (here better named: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5; Hashcat mode 500) and an empty salt, the output length is:
26 :: 3 (`$1$`) + 0 (empty salt) + 1 (`$`) + 22 (hash - 128 bits, base 64)
If on a system where PHP's crypt defaults to the said MD5 and it is called not specifying a salt, crypt will generate the salt. This salt is normally 8 characters long. The output length then is:
34 :: 3 (`$1$`) + 8 (salt) + 1 (`$`) + 22 (hash)
In this case, your database table column char(32) would either report an error on insert or truncate - depending on which database server you are using.
But the MD5 example is moot, I picked it because you have it in your question, but you should not use MD5 with crypt (see: Md5crypt Password scrambler is no longer considered safe by author).
Instead lets take a look into Blowfish hashing (CRYPT_BLOWFISH). It has a two digit cost parameter and always a salt length of 22 (if a shorter salt is given, it is padded with $s):
60 :: 4 (`$2y$`) + 3 (cost `$`) + 22 (salt) + 1 (`$`) + 53 (hash)
For the Blowfish crypt hash-algorithm (bcrypt, OpenBSD Blowfish; Hashcat mode 3200) there is a fixed length of 60 then.
As you can see the output length depends on the used hash-algorithm, the length of the salt and even some hash specific parameters like the cost.
If you for example opt of SHA512 with 999 999 999 rounds and a 16 byte long salt, the output length is:
123 :: 3 (`$6$`) + 17 (`rounds=999999999$`) + 16 (salt) + 1 (`$`) + 86 (hash)
This example is a little bit extreme maybe, just to show the picture.
Other crypt related questions:
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
