problem with crypt function

[Steven Stern]

On 01/09/2014 11:47 AM, Doug Poulin wrote:
> A user found this strange problem.  When their password ends in a single
> digit, you can use any number instead of that one and still get the same
> encrypted result. Also if you add an extra digit onto the end you get a
> similar result  Below is a sample:
> 
>  
> 
> Sample test program:
> 
>  
> 
> #!/usr/bin/perl
> 
> my($passwd,$crypt,$salt,$tcrypt);
> 
> my(@saltar,$cnt,$rnd);
> 
>  
> 
> print "Enter your password to encrypt: ";
> 
> $passwd = (<STDIN>);
> 
> chop($passwd);
> 
>  
> 
> @set = (a..z,A..Z,0..9);
> 
> for ($cnt=0; $cnt<2; $cnt++) {
> 
>         $rnd = int(rand(62));
> 
>         $saltar[$cnt]=$set[$rnd];
> 
> }
> 
> $salt = $saltar[0] . $saltar[1];
> 
>  
> 
> $crypt = crypt($passwd,$salt);
> 
>  
> 
> print "Encrypted string using $salt is $crypt\n";
> 
>  
> 
> print "Enter in a test password: ";
> 
> $passwd = (<STDIN>);
> 
> chop $passwd;
> 
>  
> 
> $salt = substr($crypt,0,2);
> 
> $tcrypt = crypt($passwd,$salt);
> 
>  
> 
> print "Result of test encrypt: $tcrypt\n";
> 
>  
> 
>  
> 
> Sample output 1:
> 
> Enter your password to encrypt: aabbccddee
> 
> Encrypted string using j1 is j1E.Uer2plwdM
> 
> Enter in a test password: aabbccddee1
> 
> Result of test encrypt: j1E.Uer2plwdM
> 
>  
> 
> Enter your password to encrypt: aabbccdde1
> 
> Encrypted string using 2z is 2zL6VvHA/mBl.
> 
> Enter in a test password: aabbccdde2
> 
> Result of test encrypt: 2zL6VvHA/mBl.
> 

In the crypt documentation on php.net, it says

"The standard DES-based crypt() returns the salt as the first two
characters of the output. It also only uses the first eight characters
of str, so longer strings that start with the same eight characters will
generate the same result (when the same salt is used)."


-- 
-- Steve