Crypt function generetes the same hash for the same password

Question

I'm trying to create an hashing function that, given a random salt, generates a password hash from it.

The problem is, that, if I enter the same password for two different users, the hash generated is the same for both.

Waht might be the problem?

public function generateSalt()
{       


     return $salt = substr(sha1(uniqid(rand(), true)), 0, 32);
}

public function pwdEncrypt($password, $salt)
{       

    $hash = crypt($password, '$2a$' . $salt . '$');     
    return $hash;
}

public function registerUser($nome, $email, $password, $permitions, $active)
{



    $this->nome = $nome;
    $this->email = $email;


    $salt = $this->generateSalt();


    $this->password = $this->pwdEncrypt($password, $salt);

   //INSERT METHODS BELOW
}

Answer 1

That's not how you use crypt with blowfish ($2a$)

You need to specify the strength, and the salt at the end.

Try this crypt($password, '$2a$08$'.$salt);

Obviously increase the strength to improve security, at the expense of processing time.

I should also add, if you are using a PHP version greater than 5.3.7, you should use $2y$ for your blowfish algorithm, as an attack for $2a$ was discovered in 2011.

Answer 2

crypt() will return a hashed string using the standard Unix DES-based algorithm.

Standard DES-based hash has a two character salt from the alphabet "./0-9A-Za-z".

Since in your case the first three characters of the salt are always the same, the salt used is always the same.

Use

return $salt = substr(sha1(uniqid(rand(), true)), 0, 2);

and

$hash = crypt($password, $salt);