How to Use the Crypt() Function to Encrypt and Check Passwords
Every php-script that involves some kind of user login and database interaction has one very important feature – password checking and encryption.
There are a bunch of ways you could create and check passwords – from an insecure string in a database to an encrypted “hash” that you check against user input. This tutorial will show you how to use the crypt() function to store and check passwords in a php script.
What Does the Crypt() Function Do?
The crypt() function takes two parameters – the first parameter is the actual input (the password to test) and the second parameter is a “salt” or encryption key that is used to encrypt the password phrase.
Let’s take a look at what the crypt() function does with some input.
echo crypt("Gobble", "xt");
Would yield the output…
xt0iPj3UKFQSMThe function used the encryption key “xt” to turn “Gobble” into an encrypted mess. Now, a person looking through the database won’t be able to find out a person’s password. They’ll only find the encrypted password – which won’t work if you enter it into a script.
The Crypt() Function Stores the Encryption Key in the Output
There’s an important pattern here, though, that we can see if we look at a couple of crypt() calls in a row.
echo crypt("Gobble", "ab"); echo crypt("Gobble", "td"); echo crypt("Gobble", "pz");
Would yield the output…
ab30/okS7bRdo
tdylLlJ9zwOss
pz0u5z5fgyCK.You can break each piece of output into two pieces – the first two characters and the last 11 characters.
The first two characters “ab,” “td,” and “pz” are the three “salts” or encryption keys that we used in our crypt() calls. The last 11 characters are the actual encrypted pass phrases.
This simple point is crucial to the functioning of crypt(). It stores the encryption key inside the encrypted phrase, so that you can use it to encrypt a new phrase – and compare them. If you use the encrypted phrase as your “salt” (the second parameter for crypt()), the function will isolate the encryption key and ignore the rest.
So this example would output “Passwords match!”
$password = "Gobble"; // User input $salt = "ab"; // Encryption key $encrypted = crypt($password, $salt); if ( crypt($password, $encrypted) == $encrypted) { echo "Passwords match!"; }
In this case we’re using the encrypted password ($encypt) to perform the encryption algorithm on the user’s input ($password) to see if they match. Normally, you would have $encrypted stored in the database to perform comparisons in your script.
Use an MD5 Hash Salt to Encrypt Phrases Over 8 Characters
The final thing to keep in mind about crypt() is that it can use different kinds of salts or encryption keys. The two-character salt we’ve been using is pretty weak. It also has a flaw in functionality – using a two-character encryption key, the crypt() function will ignore everything past the first 8 characters of the phrase to be encrypted.
So both of these statements would have the same output.
echo crypt("Gobbledeygook", "ab"); echo crypt("Gobbledeygah", "ab");
The crypt() function is only encrypting the first eight characters – “Gobblede”. The rest is ignored.
You can change this by using a special type of encryption key – a md5 hash. Under normal circumstances, this is enabled in php, but you can double check by seeing if the constant CRYPT_MD5 is set to ‘1′.
An md5 hash salt is formatted like this – $1$xxxxxxxx$. “$1$”, followed by eight random characters, followed by a closing “$”. You could create one yourself to use as a salt.
However, in most cases if you provide no salt or encryption key at all, php will generate a random salt for you. So, for example, when you are entering a new password into the database you can use this statement…
$password = crypt("Gobble");
This variable ($password) can now be stored in the database. Remember that $password holds both the encrypted phrase (Gobble) and the random encryption key. So to check if a user entered the correct password you would fetch $password from the database and use this statement…
if ( crypt($userInput, $password) == $password) { // Ok, the passwords matched }
Now that you know how crypt() works, get to it. Start creating user-authentication scripts and work your encryption magic.
Tags: database, encryption, login, password, php, Security, tutorial
How to Encrypt and Hash Passwords in Php | Review of Information about Web Design said this on February 20th, 2008 at 2:03 pm
[...] twice, you would get two different results. Here’s some extra reading on how to use crypt to hash and encrypt a password in PHP. So Which is [...]
How to Use the Crypt() Function to Encrypt and Check Passwords - Tutorial Collection said this on June 4th, 2009 at 9:14 pm
[...] View Tutorial No Comment var addthis_pub=”izwan00″; BOOKMARK This entry was posted on Friday, June 5th, 2009 at 7:48 am and is filed under Php Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. [...]
php talk » How to Encrypt and Hash Passwords in Php said this on November 22nd, 2009 at 10:52 am
[...] If you do not provide a salt or encryption key, them PHP creates one for you. This changes the way the word is hashed. So if you called crypt(”Bananas”) twice, you would get two different results. Here’s some extra reading on how to use crypt to hash and encrypt a password in PHP. [...]
My Digital World… » How to Encrypt and Hash Passwords in Php said this on December 24th, 2009 at 3:17 pm
[...] If you do not provide a salt or encryption key, them PHP creates one for you. This changes the way the word is hashed. So if you called crypt(“Bananas”) twice, you would get two different results. Here’s some extra reading on how to use crypt to hash and encrypt a password in PHP. [...]
Ipp9 dot com » How to Encrypt and Hash Passwords in Php said this on January 2nd, 2010 at 8:18 am
[...] If you do not provide a salt or encryption key, them PHP creates one for you. This changes the way the word is hashed. So if you called crypt(”Bananas”) twice, you would get two different results. Here’s some extra reading on how to use crypt to hash and encrypt a password in PHP. [...]
How to Encrypt and Hash Passwords in Php | said this on January 16th, 2010 at 5:12 pm
[...] If you do not provide a salt or encryption key, them PHP creates one for you. This changes the way the word is hashed. So if you called crypt(”Bananas”) twice, you would get two different results. Here’s some extra reading on how to use crypt to hash and encrypt a password in PHP. [...]
zynga said this on March 20th, 2010 at 2:04 am
eventhough I consume just about all of my afternoon on the internet taking part in online games like facebook poker or mafia wars, I nonetheless like to dedicate some time to compare a few websites occasionally and I’m pleased to report this recent information is really quite effective and really more beneficial than 50 % the various poor quality trash I read today , anyways i’m off to have fun with a couple of hands of zynga poker