Local/Production Crypt Returning Different Hashes

Question

PHP crypt function is returning different hashes on local and production server. On localhost the crypt hash validation is working fine, but on production its not.

Local: PHP 5.4.4
Procution: PHP 5.3.10-1ubuntu3.5 

---

Code:

echo crypt('123123123');

Local Example Response:

$1$7ymnm8q/$M6HLj2JEvzWGElqlwjAKm0

Production Example Response:

$6$sbttg2v6$2YAU3dNKR/.MRGmbBV4sR8vEhr/L8aOMTej1u3gArhgIiCiJ5IFJ

Answer 1

Citing from the PHP docu on crypt():

crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system.

So cyrpt() is not bound to a specific algorithm, but uses, what the system supports.

You may use the following constants to see, which are supported in the system you are running crypt():

• CRYPT_STD_DES
• CRYPT_EXT_DES
• CRYPT_MD5
• CRYPT_BLOWFISH
• CRYPT_SHA256
• CRYPT_SHA512

If you look at the examples in the docu, you'll see, that your local code uses MD5 for encryption, while the production server uses SHA-512.

Furthermore you don't specify a specific salt, so PHP will generate one for you, which will also differ in each invocation of crypt().

Answer 2

The systems use different default hashing algorithms: $1$ stands for MD5, $6$ for SHA-512

You should specify the algorithm explicitly using the salt parameter:

crypt('123123123', '$6$somerandomstring');

See crypt() documentation:

salt An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results.