Why is the PHP crypt() function returning the same thing for two different strings?

Question

I\'m using PHP\'s crypt function for password hashing/encryption, but I don\'t think I am doing it right because \"nathan12\" and \"nathan123\" both allow me to log

Answer 1

You should be using password_hash() instead of crypt, for the reasons you mention: "I'm probably not even using the crypt function properly". You say you are getting the salt from the DB... this sounds insecure. with password_hash() you can let PHP handle the salting for you in a secure manner.

More details on why this is superior: http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/