Interesting. Still keeping an eye on this :)
(And don't worry if it is you making errors [or it might not be], because I'm confused as well. But I'm glad it looks like it's mostly working out.)
For the new issue, that's the salt not being different; I'm not sure that's a major concern. Do different input strings (eg, passwords) give unique results now? It's a little odd that the salt isn't necessarily unique, but as long as there are still many combinations, I imagine it won't be a major problem.
Where php.net says blowfish uses a 22-character salt, I think the docs are either a) counting that last $ as one of the characters, or b) wrong. Consider:
Originally Posted by james438
The output hash is prefixed with the salt - but the 'y' is omitted. One way or the other, I'm sure it's being dropped.
print crypt( 'hello','$2y$07$111111111111111111111y' );
# output # $2y$07$111111111111111111111uQeYcdC8/9Fn5yLUy.9ykXnYTaG3Dyhu
I'm not so sure.
Changing "e" above to letters a-d produce the same hashes. e-t produce the same hashes. u-z produce the same results.
I'm happy with how blowfish is working now, so currently this is partly for fun. I'm also a little bit concerned that there is a flaw with how blowfish works. I have to wonder what other salts produce the same results?
A-N, O-Z, and 0-9 also produce the same hashes...
damn you, james! :p
Yeah, I'm not sure what to think of these findings.
Thanks for investigating those other letters and numbers. As far as I can tell blowfish is still better than DES (whatever DES is).
That's just weird. Is it only that last character? Have you noticed any other patterns for the whole string? Does 'aaaa'=='bbbb' for example?
And that is worrying because as far as I know (unless these algorithms are very different), a salt is just added to the string before hashing. So that would mean that the differences from one string to another would not create a different hash either, greatly increasing the chance of a collision. Potentially very problematic.
I'm sure it's just something we don't quite understand about the algorithm (or, more likely, how crypt() applies the salt).
My head hurts. Night, all.