开发者

crypt() not functioning as needed

I'm using crypt as follows:

$pass = crypt($pass, 'd4');

for both insertion and validation of a password against a mysql开发者_开发技巧 table. Problem is that if the passwords are similar it generates a similar result. Is there an algorithm that guarantees different results for different passwords?


Use hash() and choose hashing algorithm that suits you well (if possible something stronger than MD5, but don't go all the way to SHA512 either)

On crypt()'s manual page you will find this:

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

which should explain why you get same results.


Using crypt() is fine, as long as you don't use the old DES-based mode (CRYPT_STD_DES). The only valid reason to use that is for interoperability with legacy software that uses such password hashes.

Instead, use the CRYPT_BLOWFISH, CRYPT_SHA256 or CRYPT_SHA512 modes. These are modern password hashing algorithms that accept arbitrarily long passphrases, use long salts and support key strengthening via multiple iterations.

Unfortunately, the PHP crypt() interface is somewhat awkward: the only way to explicitly choose the algorithm you want is by supplying a correctly formatted $salt parameter, which means you also have to generate the actual salt yourself. That's probably still easier and safer than rolling your own password hashing code, though.


You could add a salt. Typically though if you're storing passwords you'll want to hash them, not encrypt them. There's load of stuff you can learn about this if you search for it (like on Google).


from the php crypt() page:

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

You may also want to use a different method of crypt such as MD5 or SHA256 as these are often preferable to DES.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜