Why is the PHP crypt() function returning the same thing for two different strings?

Question

I\'m using PHP\'s crypt function for password hashing/encryption, but I don\'t think I am doing it right because \"nathan12\" and \"nathan123\" both allow me to log

Answer 1

You should use more than just a password salt to encrypt passwords.

You can store a random string in your configuration file.

$config['passwordKey'] = 'asjdfa783#H$Khjsdfhas78a734J%JSDGK2348235hxmfdA';

And append it to $salt when encrypting. This way if the database is compromised, and your file system is not, then attackers can't decrypt your database password hashes. This should be essential to protect the users information on other sites with identical login information.

---

To hash your passwords, password_hash is a simple crypt() wrapper specially configured for password hashing! (source)

$password = password_hash($password, PASSWORD_BCRYPT, array(
    'cost' => 60,
    'salt' => $salt . $config['passwordKey']
));

Answer 2

You should be using password_hash() instead of crypt, for the reasons you mention: "I'm probably not even using the crypt function properly". You say you are getting the salt from the DB... this sounds insecure. with password_hash() you can let PHP handle the salting for you in a secure manner.

More details on why this is superior: http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

Answer 3

The standard DES-based crypt() [...] only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

source

Use a salt that starts with $<algo>$ to use something other than DES. See the crypt() documentation for details.