Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: shouldn't these hashes be different?

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,731
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default shouldn't these hashes be different?

    The following is a bit confusing for me:

    PHP Code:
    <?php
    $salt
    ="th";
    $old_password="173.22.119.158asdfsdfasdfgasdfgasdfgadfgadfgadfasdgasdgsdgagsdgadgfadfgadgfadgfadfgdfg";
    $new_password="173.22.1f";
    $old_password=crypt("$old_password",$salt);
    $new_password=crypt("$new_password",$salt);
    if (
    $new_password==$old_password) echo "hi";exit();
    echo
    "$old_password<br>$new_password<br>";
    ?>
    Shouldn't these hashes be very different from each other?
    Last edited by james438; 02-19-2013 at 06:08 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    hm... only the first eight characters seem to matter.

    I don't know. Quick research on DES talks about weaknesses created by small key sizes (64 bits, which corresponds to eight ASCII characters), but I don't follow if that's directly the problem. I would suspect so.

    I'd suggest not using crypt()'s default DES implementation. DES is considered insecure by pretty much everyone, and is, in fact, not a standard anymore.

    I'd suggest switching to blowfish ( $salt = "$2y$07${22-character salt using [./0-9A-Za-z]}$" )
    or SHA-512 ( $salt = "$6$rounds=5000${16-character salt}$" )

  3. The Following User Says Thank You to traq For This Useful Post:

    james438 (02-19-2013)

  4. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,731
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Good to know. I thought DES was good. I'll try to update to Blowfish then.
    To choose the lesser of two evils is still to choose evil. My personal site

  5. #4
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,731
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Just to make sure I am writing this out correctly, the salt starts with $2y$ followed by 22 character alphanumeric string and ends with $. crypt sees the salt format and hashes accordingly.

    After some trial and error, reading up on it on php.net and a few other sources I was able to get the following to work.

    Code:
    <?php
    $salt="$2y$07$";
    $old_password="173.22.459.158fadfgdfg";
    $new_password="173.22.45";
    $old_password=crypt("$old_password",$salt);
    $new_password=crypt("$new_password",$salt);
    echo"$old_password<br>$new_password<br>";
    ?>
    It appears that in order to change the salt I need to modify the 07 in the salt above to another numeric salt. I am sure I am doing something wrong. most of my other efforts produce two identical hashes. I noticed that the higher the 2 digit number the longer it takes to compile. 13 as in $salt="$2y$13$"; takes about 3 seconds which is as long as I want to try. I suspect the time it takes to compile increases exponentially.
    To choose the lesser of two evils is still to choose evil. My personal site

  6. #5
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    PHP Code:
    <?php

    $salt
    ='$2y$07$bhfjdiiglt.lod387yhsi';
    $old_password="173.22.459.158fadfgdfg";
    $new_password="173.22.45";
    $old_password=crypt("$old_password",$salt);
    $new_password=crypt("$new_password",$salt);
    echo
    "$old_password<br>$new_password<br>";
    the "07" isn't the hash, it's a "cost" (I don't know exactly, but it has to do with # of iterations, etc.).

    Your original example didn't have an actual salt (see above), but I did not get identical hashes even using your example.

  7. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I'm following this discussion (and the others) because it's interesting/useful for me. But I'm confused.

    What I'm concerned about is whether crypt() is always consistent across servers. Several times now the two of you have had different results on different servers. I haven't tried it myself, but I've been thinking about switching over to this function.

    So, I see three possibilities:
    1. crypt() behaves differently on different servers due to which algorithms are available, underlying settings, etc.
    (This means that moving hosts would be a huge problem and that code isn't portable in general. It might be better for security, but it's a problem for usability.)

    2. James has been doing something wrong the whole time. It's certainly possible, but I can't see what it is, so I wouldn't do it any better. If so, what is the problem? Traq, you seem to be able to avoid the problem-- have you also figured out what James has done wrong, or only how to do it the right way on your server?

    3. James's server is broken. crypt() will work as expected everywhere else, and there's just something wrong with php/crypt() on that installation. (I don't know that this is the case, it's just a guess, since it seems very inconsistent.)


    Any idea which one might be the case? All I know is that I'm very confused by crypt(), and that I haven't had a lot of free time to play with it. I imagine I'll run into the same problems that James has when I do, though.


    Is crypt() available to the same degree on all servers? Are there version differences?





    Also: wouldn't it be a worthwhile project to create some functions for the different algorithms that make the arguments more intuitive? So we could create, for example:
    function blowfish($string,$salt='',$rounds=1)
    Last edited by djr33; 02-19-2013 at 06:32 PM.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  8. #7
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,731
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    PHP Code:
    <?php 
    $salt
    ="$2y$07$bhfjdiiglt.lod387yhsi"
    $old_password="173.22.459.158fadfgdfg"
    $new_password="173.22.45"
    $old_password=crypt("$old_password",$salt); 
    $new_password=crypt("$new_password",$salt);
    echo
    "$old_password<br>$new_password<br>"
    ?>
    produces identical results. If the salt is:
    Code:
    $salt="$2y$07$bhfjdggggt.lo";
    I still get the following hashed results.
    Code:
    $29AzSzYWnQIo
    $29AzSzYWnQIo
    Apparently it has something to do with the period inserted in my salt.

    Testing further if I use any of the following salts:
    Code:
    $salt="$2y$07$a111111111111111111111";
    $salt="$2y$07$abcdefghijklmnopqrstuv";
    $salt="$2y$07$a111111111111111111111";
    $salt="$2y$07$z111111111111111111111";
    $salt="$2y$07$A111111111111111111111";
    I get hash results of:
    Code:
    $2y$07$$$$$$$$$$$$$$$$$$$$$$.2nQ9E9AcydYp.2eiPJ2AQKr0V/PrQBe
    $2y$07$$$$$$$$$$$$$$$$$$$$$$.lB8QuQjzbPsayD0PksDNYZnptEWnri2
    but
    Code:
    $salt="$2y$07$2111111111111111111111";
    and
    Code:
    $salt="$2y$07$3111111111111111111111";
    produce different results.
    To choose the lesser of two evils is still to choose evil. My personal site

  9. #8
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    I'll look more into this later, but you're defining $salt with double-quotes. PHP is assuming those dollar signs are supposed to be variables

  10. #9
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    That might be it. James, if you use single quotes, does any of this work better?

    (Traq, I'm not sure what PHP thinks if you have a dollar sign as a variable but then no variable or a 'variable name' that starts with a number... maybe it gives a warning?)
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  11. #10
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,731
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Silly me. It was the single quotes. Sorry about that. That took care of 99% of my issues.

    I did still notice one small anomaly.

    Code:
    $salt='$2y$07$111111111111111111111y';
    $salt='$2y$07$1111111111111111111111';
    both produce the same results.

    Considering how new I am to crypt() I am going to assume the discrepancies between traq and myself has to do with errors on my part. I'm still trying to get some of the basic syntax down.
    To choose the lesser of two evils is still to choose evil. My personal site

  12. The Following User Says Thank You to james438 For This Useful Post:

    djr33 (02-20-2013)

Similar Threads

  1. .htaccess rewrite to remove hashes
    By ApacheTech in forum PHP
    Replies: 1
    Last Post: 04-22-2012, 04:51 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •