shouldn't these hashes be different?

**djr33** · 02-20-2013, 01:07 AM

Interesting. Still keeping an eye on this

(And don't worry if it is you making errors [or it might not be], because I'm confused as well. But I'm glad it looks like it's mostly working out.)

For the new issue, that's the salt not being different; I'm not sure that's a major concern. Do different input strings (eg, passwords) give unique results now? It's a little odd that the salt isn't necessarily unique, but as long as there are still many combinations, I imagine it won't be a major problem.

**traq** · 02-20-2013, 01:24 AM

Originally Posted by james438

Code:

$salt='$2y$07$111111111111111111111y';
$salt='$2y$07$1111111111111111111111';

both produce the same results.

Considering how new I am to crypt() I am going to assume the discrepancies between traq and myself has to do with errors on my part. I'm still trying to get some of the basic syntax down.

Where php.net says blowfish uses a 22-character salt, I think the docs are either a) counting that last $ as one of the characters, or b) wrong. Consider:

PHP Code:


print crypt( 'hello','$2y$07$111111111111111111111y' );
# output #            $2y$07$111111111111111111111uQeYcdC8/9Fn5yLUy.9ykXnYTaG3Dyhu

The output hash is prefixed with the salt - but the 'y' is omitted. One way or the other, I'm sure it's being dropped.

**james438** · 02-20-2013, 02:01 AM

I'm not so sure.

Code:

$salt='$2y$07$111111111111111111111e';

Changing "e" above to letters a-d produce the same hashes. e-t produce the same hashes. u-z produce the same results.

I'm happy with how blowfish is working now, so currently this is partly for fun. I'm also a little bit concerned that there is a flaw with how blowfish works. I have to wonder what other salts produce the same results?

**traq** · 02-20-2013, 02:22 AM

A-N, O-Z, and 0-9 also produce the same hashes...

damn you, james!

**james438** · 02-20-2013, 03:07 AM

Yeah, I'm not sure what to think of these findings.

Thanks for investigating those other letters and numbers. As far as I can tell blowfish is still better than DES (whatever DES is).

**djr33** · 02-20-2013, 05:03 AM

That's just weird. Is it only that last character? Have you noticed any other patterns for the whole string? Does 'aaaa'=='bbbb' for example?

And that is worrying because as far as I know (unless these algorithms are very different), a salt is just added to the string before hashing. So that would mean that the differences from one string to another would not create a different hash either, greatly increasing the chance of a collision. Potentially very problematic.

**traq** · 02-20-2013, 05:19 AM

I'm sure it's just something we don't quite understand about the algorithm (or, more likely, how crypt() applies the salt).
My head hurts. Night, all.

Thread: shouldn't these hashes be different?

Thread Tools

Search Thread

The Following User Says Thank You to james438 For This Useful Post:

Similar Threads

.htaccess rewrite to remove hashes

Bookmarks

Bookmarks

Posting Permissions