How crypt ($ pass, '$ 2y $ 09 $ salt') === crypt ($ pass, crypt ($ pass, $ 2y $ 09 $ salt)) in PHP?

Question

How crypt ($ pass, '$ 2y $ 09 $ salt') === crypt ($ pass, crypt ($ pass, $ 2y $ 09 $ salt)) in PHP?

I'm fine, very confused about the PHP crypt () function.

How do the following two crypto functions give the same result when the second crypt clearly uses the other 2nd argument? Diff salt means diff hash right?

echo crypt("password", '$2y$09$anexamplestringforsalt$')."\n<br>";
echo crypt("password", crypt("password", '$2y$09$anexamplestringforsalt$'))."\n<br>";

output:

$2y$09$anexamplestringforsale/.K.VdgECUVEd9N4ja3u1WtgPi5BXZq

+4

php hash crypt blowfish

user3388884 Mar 26 '14 at 17:34

source share

1 answer

ircmaxell · Answer 1 · 2014-03-26T17:42:34+0000

The reason is that salt is part of the hash output that crypt provides.

$2y$09$anexamplestringforsale/.K.VdgECUVEd9N4ja3u1WtgPi5BXZq

This is broken down into several components:

2y - algorithm identifier (bcrypt)
09 - cost parameter
anexamplestringforsale - salt
/.K.VdgECUVEd9N4ja3u1WtgPi5BXZq - hash

This leads to a good property to simply use the hash of the result directly as a salt in the test call.

$hash = crypt($password, $salt);

if ($hash === crypt($password, $hash)) {

, . . .

, API , : password_hash().

How crypt ($ pass, '$ 2y $ 09 $ salt') === crypt ($ pass, crypt ($ pass, $ 2y $ 09 $ salt)) in PHP?

More articles: