PHP crypt password

Asked

Viewed 161 times

1

I have two curiosities about encryption of passes, I have this code:

1- $mainpass = "test123";

$md5pass = md5($mainpass);
$sha1pass = sha1($md5pass);
$cryptpass = crypt($sha1pass, 'st');

echo ($cryptpass);

Whose output is: 'stSuGIR46GScI'.

But I do not understand why this (below) is not equal and the output is always changing:

$mainpass = "test123";
$cryptpass = crypt(sha1(md5($mainpass)));

echo ($cryptpass);

By my logic it would be equivalent.

2-And in checking and validating the password as it would change the code below that has only md5 to match the encryption done above (in the correct case)?

if(isset($_POST['username'], $_POST['password'])) {
$username = $_POST['username'];
$password = md5($_POST['password']);
  • I have seen that they answered, but a concern arose, the example is only to try to understand what is happening or is being used in production? Be careful when using the same salt, it is an error. Look for bcrypt.

  • Yes I have heard, this is for a CMS, the user will be only one, but obvious by the contact

1 answer

2


Case 1:

In the first example, you are adding a Salt ('st') when calling the function crypt. I believe the problem is there, since it is the only visible difference. Change the second example to:

$cryptpass = crypt(sha1(md5($mainpass)), 'st');

Case 2:

Following the same logic, change the line on which the password is set:

$password = crypt(sha1(md5($_POST['password'])), 'st');
  • Of course the st... Very obnoxious @Michael

Browser other questions tagged

You are not signed in. Login or sign up in order to post.