There are a bunch of ways you could create and check passwords – from an insecure string in a database to an encrypted “hash” that you check against user input. This tutorial will show you how to use the crypt() function to store and check passwords in a php script.

What Does the Crypt() Function Do?

The crypt() function takes two parameters – the first parameter is the actual input (the password to test) and the second parameter is a “salt” or encryption key that is used to encrypt the password phrase.

Let’s take a look at what the crypt() function does with some input.

echo crypt("Gobble", "xt");

Would yield the output…

xt0iPj3UKFQSM

The function used the encryption key “xt” to turn “Gobble” into an encrypted mess. Now, a person looking through the database won’t be able to find out a person’s password. They’ll only find the encrypted password – which won’t work if you enter it into a script.

The Crypt() Function Stores the Encryption Key in the Output

There’s an important pattern here, though, that we can see if we look at a couple of crypt() calls in a row.

echo crypt("Gobble", "ab");
echo crypt("Gobble", "td");
echo crypt("Gobble", "pz");

Would yield the output…

ab30/okS7bRdo
tdylLlJ9zwOss
pz0u5z5fgyCK.

You can break each piece of output into two pieces – the first two characters and the last 11 characters.

The first two characters “ab,” “td,” and “pz” are the three “salts” or encryption keys that we used in our crypt() calls. The last 11 characters are the actual encrypted pass phrases.

This simple point is crucial to the functioning of crypt(). It stores the encryption key inside the encrypted phrase, so that you can use it to encrypt a new phrase – and compare them. If you use the encrypted phrase as your “salt” (the second parameter for crypt()), the function will isolate the encryption key and ignore the rest.

So this example would output “Passwords match!”

$password = "Gobble"; // User input
$salt = "ab"; // Encryption key
$encrypted = crypt($password, $salt);
if ( crypt($password, $encrypted) == 
    $encrypted) {
  echo "Passwords match!"; }

In this case we’re using the encrypted password ($encypt) to perform the encryption algorithm on the user’s input ($password) to see if they match. Normally, you would have $encrypted stored in the database to perform comparisons in your script.

Use an MD5 Hash Salt to Encrypt Phrases Over 8 Characters

The final thing to keep in mind about crypt() is that it can use different kinds of salts or encryption keys. The two-character salt we’ve been using is pretty weak. It also has a flaw in functionality – using a two-character encryption key, the crypt() function will ignore everything past the first 8 characters of the phrase to be encrypted.

So both of these statements would have the same output.

echo crypt("Gobbledeygook", "ab");
echo crypt("Gobbledeygah", "ab");

The crypt() function is only encrypting the first eight characters – “Gobblede”. The rest is ignored.

You can change this by using a special type of encryption key – a md5 hash. Under normal circumstances, this is enabled in php, but you can double check by seeing if the constant CRYPT_MD5 is set to ’1′.

An md5 hash salt is formatted like this – $1$xxxxxxxx$. “$1$”, followed by eight random characters, followed by a closing “$”. You could create one yourself to use as a salt.

However, in most cases if you provide no salt or encryption key at all, php will generate a random salt for you. So, for example, when you are entering a new password into the database you can use this statement…

$password = crypt("Gobble");

This variable ($password) can now be stored in the database. Remember that $password holds both the encrypted phrase (Gobble) and the random encryption key. So to check if a user entered the correct password you would fetch $password from the database and use this statement…

if ( crypt($userInput, $password) == $password)
{ //  Ok, the passwords matched }

Now that you know how crypt() works, get to it. Start creating user-authentication scripts and work your encryption magic.