Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: shouldn't these hashes be different?

  1. #11
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    Interesting. Still keeping an eye on this
    (And don't worry if it is you making errors [or it might not be], because I'm confused as well. But I'm glad it looks like it's mostly working out.)

    For the new issue, that's the salt not being different; I'm not sure that's a major concern. Do different input strings (eg, passwords) give unique results now? It's a little odd that the salt isn't necessarily unique, but as long as there are still many combinations, I imagine it won't be a major problem.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  2. #12
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    Quote Originally Posted by james438 View Post
    Code:
    $salt='$2y$07$111111111111111111111y';
    $salt='$2y$07$1111111111111111111111';
    both produce the same results.

    Considering how new I am to crypt() I am going to assume the discrepancies between traq and myself has to do with errors on my part. I'm still trying to get some of the basic syntax down.
    Where php.net says blowfish uses a 22-character salt, I think the docs are either a) counting that last $ as one of the characters, or b) wrong. Consider:
    PHP Code:
    print crypt'hello','$2y$07$111111111111111111111y' );
    # output #            $2y$07$111111111111111111111uQeYcdC8/9Fn5yLUy.9ykXnYTaG3Dyhu 
    The output hash is prefixed with the salt - but the 'y' is omitted. One way or the other, I'm sure it's being dropped.

  3. #13
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,723
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    I'm not so sure.

    Code:
    $salt='$2y$07$111111111111111111111e';
    Changing "e" above to letters a-d produce the same hashes. e-t produce the same hashes. u-z produce the same results.

    I'm happy with how blowfish is working now, so currently this is partly for fun. I'm also a little bit concerned that there is a flaw with how blowfish works. I have to wonder what other salts produce the same results?
    To choose the lesser of two evils is still to choose evil. My personal site

  4. The Following User Says Thank You to james438 For This Useful Post:

    djr33 (02-20-2013)

  5. #14
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    A-N, O-Z, and 0-9 also produce the same hashes...

    damn you, james!

  6. #15
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,723
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Yeah, I'm not sure what to think of these findings.

    Thanks for investigating those other letters and numbers. As far as I can tell blowfish is still better than DES (whatever DES is).
    To choose the lesser of two evils is still to choose evil. My personal site

  7. #16
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    That's just weird. Is it only that last character? Have you noticed any other patterns for the whole string? Does 'aaaa'=='bbbb' for example?

    And that is worrying because as far as I know (unless these algorithms are very different), a salt is just added to the string before hashing. So that would mean that the differences from one string to another would not create a different hash either, greatly increasing the chance of a collision. Potentially very problematic.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  8. #17
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    I'm sure it's just something we don't quite understand about the algorithm (or, more likely, how crypt() applies the salt).
    My head hurts. Night, all.

Similar Threads

  1. .htaccess rewrite to remove hashes
    By ApacheTech in forum PHP
    Replies: 1
    Last Post: 04-22-2012, 04:51 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •