Can someone clarify how the PHP function crypt() works?

Question

From my understanding crypt(string, salt), takes the salt, tacks it onto the front of the encrypted version of the string parameter.

$pw = "secret";
$format_and_salt = $2y$10$MWRmZTkwMTc5ZGJjZDI1NT;
$hash = crypt($pw, $format_and_salt);

$hash gets stored to the database column hashed_password as $2y$10$MWRmZTkwMTc5ZGJjZDI1NOfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

or broken down:

first part is $format_and_salt: $2y$10$MWRmZTkwMTc5ZGJjZDI1N (sans the 'T')

+

second part is the encrypted $pw: OfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

If I then use crypt again to validate a password that a user submits to $_POST against the stored hashed_password in the database, the output for both cases doesn't seem to reflect the logic I described above. So I'm missing something.

So then:

$existing_hash = $admin['hashed_password'] ($admin being an array ultimately derived from a query).

and

crypt($pw, $existing_hash) returns $2y$10$MWRmZTkwMTc5ZGJjZDI1NOfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

which is identical to $hash above. This works to validate or invalidate the users submission to $_POST, but as mentioned, if I follow the logic for the first crypt() above, I would expect:

first part is $existing_hash: $2y$10$MWRmZTkwMTc5ZGJjZDI1NOfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

+

second part is the encrypted $pw: OfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

which I'd expect to combine as: $2y$10$MWRmZTkwMTc5ZGJjZDI1NOfGsQUgIu7ezETpe.uHjGqbmdrw2.vqmOfGsQUgIu7ezETpe.uHjGqbmdrw2.vqm

Can someone explain why the original crypt and the crypt just above that was used to validate the first one both have the same output? Thanks in advance.

Can someone clarify how the PHP function crypt() works?

Answers (1)

Related Questions