crypt() not functioning as needed
I'm using crypt as follows:
$pass = crypt($pass, 'd4');
for both insertion and validation of a password against a mysql开发者_开发技巧 table. Problem is that if the passwords are similar it generates a similar result. Is there an algorithm that guarantees different results for different passwords?
Use hash()
and choose hashing algorithm that suits you well (if possible something stronger than MD5, but don't go all the way to SHA512 either)
On crypt()
's manual page you will find this:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
which should explain why you get same results.
Using crypt()
is fine, as long as you don't use the old DES-based mode (CRYPT_STD_DES
). The only valid reason to use that is for interoperability with legacy software that uses such password hashes.
Instead, use the CRYPT_BLOWFISH
, CRYPT_SHA256
or CRYPT_SHA512
modes. These are modern password hashing algorithms that accept arbitrarily long passphrases, use long salts and support key strengthening via multiple iterations.
Unfortunately, the PHP crypt()
interface is somewhat awkward: the only way to explicitly choose the algorithm you want is by supplying a correctly formatted $salt
parameter, which means you also have to generate the actual salt yourself. That's probably still easier and safer than rolling your own password hashing code, though.
You could add a salt. Typically though if you're storing passwords you'll want to hash them, not encrypt them. There's load of stuff you can learn about this if you search for it (like on Google).
from the php crypt() page:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
You may also want to use a different method of crypt such as MD5 or SHA256 as these are often preferable to DES.
精彩评论