Global Moderator
Interesting. Still keeping an eye on this
(And don't worry if it is you making errors [or it might not be], because I'm confused as well. But I'm glad it looks like it's mostly working out.)
For the new issue, that's the salt not being different; I'm not sure that's a major concern. Do different input strings (eg, passwords) give unique results now? It's a little odd that the salt isn't necessarily unique, but as long as there are still many combinations, I imagine it won't be a major problem.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
global $Moderator;
Where php.net says blowfish uses a 22-character salt, I think the docs are either a) counting that last $ as one of the characters, or b) wrong. Consider:Originally Posted by james438
The output hash is prefixed with the salt - but the 'y' is omitted. One way or the other, I'm sure it's being dropped.PHP Code:print crypt( 'hello','$2y$07$111111111111111111111y' );
# output # $2y$07$111111111111111111111uQeYcdC8/9Fn5yLUy.9ykXnYTaG3Dyhu
We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
It's a Party in the CIA
Global Moderator
I'm not so sure.
Changing "e" above to letters a-d produce the same hashes. e-t produce the same hashes. u-z produce the same results.Code:$salt='$2y$07$111111111111111111111e';
I'm happy with how blowfish is working now, so currently this is partly for fun. I'm also a little bit concerned that there is a flaw with how blowfish works. I have to wonder what other salts produce the same results?
To choose the lesser of two evils is still to choose evil. My personal site
djr33 (02-20-2013)
global $Moderator;
A-N, O-Z, and 0-9 also produce the same hashes...
damn you, james!
We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
It's a Party in the CIA
Global Moderator
Yeah, I'm not sure what to think of these findings.
Thanks for investigating those other letters and numbers. As far as I can tell blowfish is still better than DES (whatever DES is).
To choose the lesser of two evils is still to choose evil. My personal site
Global Moderator
That's just weird. Is it only that last character? Have you noticed any other patterns for the whole string? Does 'aaaa'=='bbbb' for example?
And that is worrying because as far as I know (unless these algorithms are very different), a salt is just added to the string before hashing. So that would mean that the differences from one string to another would not create a different hash either, greatly increasing the chance of a collision. Potentially very problematic.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
global $Moderator;
I'm sure it's just something we don't quite understand about the algorithm (or, more likely, how crypt() applies the salt).
My head hurts. Night, all.
We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
It's a Party in the CIA
Posting Permissions
Reply With Quote
Bookmarks