All geek questions in one place

Why is a string hashed by a hash since salt returns a hash?

I read about password security in PHP, and I came across an interesting expression:

Password hashing with its hash, as salt returns the same hash

Without much thought, I went to php.net and found that it says the same thing.

Let's look at an example:

crypt("test", "test"); -> teH0wLIpW0gyQ crypt("test", "teH0wLIpW0gyQ"); -> teH0wLIpW0gyQ

I can fully understand that crypt in PHP generates a one-way hash of a given string.

  • I don’t understand how we can get the same hash output using two completely different salts?
  • Does this mean that there are possibly other salts that could give me the same hash?

Following actions

Thanks to everyone for your pointers. Now I see that the default behavior is to use only the first two characters of salt, which fully answers all my questions. You feel stupid, but ...

+6
source share
2 answers

1. I do not understand how we can get the same hash result using two completely different salts?

Although you provided different salts to the crypt function, it uses the same salt inside, ie, te . This is due to how crypt implemented:

Standard DES-based descriptor with two-character salt from the alphabet "./0-9A-Za-z".

So, even if you provide a salt longer than 2 characters, it will only occupy the first two.

And since the crypt s output contains the used salt added to the computed hash, using the crypt hash as a salt leads to the exact same output. And this is just fine, as you can use the following to verify the saved password:

 crypt($password, $hash) === $hash


2. Does this mean that there are possibly other salts that could give me the same hash?

Yes. This also applies to other crypt algorithms such as bcrypt.

+3
source

This is done on purpose. Your crypt function, when the second argument consists of letters and numbers, uses only the first two characters "salt" for encryption, and these two characters are placed at the beginning of the result. In this way,

 crypt("test", "test"); -> teH0wLIpW0gyQ crypt("test", "te"); -> teH0wLIpW0gyQ crypt("test", "tea"); -> teH0wLIpW0gyQ crypt("test", "temperature"); -> teH0wLIpW0gyQ etc.

This is done to easily verify that the password is correct, so crypt($password, crypt($password, $salt)) == crypt($password, $salt)

+4
source

Source: https://habr.com/ru/post/957753/

More articles:


All Articles