Hi all,

I was under the impression, that using a salt for php crypt() function would make a string more crypted. however, when I do this:

//$randomID generated to 10 varchar string
$cleanpw1 = crypt('thispassword1111');
$cleanpw2 = crypt('thispassword1111', md5('thispassword1111'));
$cleanpw3 = crypt('thispassword1111', md5($randomID));
echo $cleanpw1."<br>".$cleanpw2."<br>".$cleanpw3;

the output I get is:

$1$zKCoK2/i$jElx3xuWMYwN8VsxHLY3x/
ef827I6B6vgQ2
27j6vsZz7cGqE

to me, it looks like the unsalted crypt() gives a string that would be more crypted/secure. am I missing something here?

b.t.w. the shared server I'm on does not have blowfish, sha256 or sha512.

    In the first form, [man]crypt[/man] generates a salt as well as the hash. See Example 1 on that page for an example of how the two-argument form is used.

      Thanks for the reply!

      So is it the $1$ prepended to the string, along with the trailling $ that makes this an MD5 hashing of crypt()? In other words, "forcing" crypt to use CRYPT_MD5 so that it doesn't choose one itself?

      $cleanpw = crypt('$1$'.'thispassword1111'.'$', '$1$'.'userid'.'$');
        Weedpacket;11027145 wrote:

        In the first form, [man]crypt[/man] generates a salt as well as the hash. See Example 1 on that page for an example of how the two-argument form is used.

        What do you think of PHPass?

          Write a Reply...