An oft-asked question – and oft-misunderstood – is what is the difference? Is one better than the other?

First, let’s take a quick look at how each one works.

How MD5 Works

MD5 creates a “hash” value based on an input string. It uses a one-way algorithm to turn the password into an unintelligible garble of words. Here’s a sample usage.

echo md5("Bananas");

Output:
1ee31b77d0697c36914b99d1428f7f32

This long string (32 characters) is the md5 hash value of “Bananas.” You can now store it in the database, and when a user wants to log in you compare md5($passwordInput) to this hash value.

Using Crypt to Encrypt a Password

Crypt has very similar functionality, but with a unique twist.

Crypt still encrypts a phrase in a one-way algorithm to create a garbled bunch of characters. Here’s an example…

echo crypt("Bananas");

Output:
$1$upPJosTV$HC4n2bUsQFZk2IDN1CLdg.

What’s unique about the crypt() function is that it uses an encryption key (or “salt”) to vary the encryption process. This means that you can encrypt the same password (“Bananas”) multiple times and get different hash values to store in your database.

Do I Have to Store the Encryption Key or Salt?

This is where the crypt() function gets a bit confusing. No, you don’t… because the encryption key is stored in the password itself.

Take another look at this output.

$1$upPJosTV$HC4n2bUsQFZk2IDN1CLdg.

The bold bit of text ($1$upPJosTV$) is the stored salt or encryption key (read how to use crypt() for more information on how this salt is created).

So, no. You don’t have to store the salt anywhere, because it’s stored in the hash’ed text. You can simply use that as the salt in the future to check if the password is correct. Like this…

if (crypt($passwordInput, $hashedPassword) == $hashedPassword) {
  //  Ok, log in and stuff.  }

Wait… My Encryption Key Is Stored IN the Password?!?

This is where most people think that crypt() is a waste of time. If the great thing about crypt() is that it uses a customizable encryption key, then isn’t it self-defeating to include the encryption key in the stored password?

Not entirely.

The problem with md5() is that everyone knows the encryption algorithm. Sure, you can’t go backwards… but you can easily build a dictionary of known passwords and known hashes. By storing these in a database, it is feasible to do a simple dictionary check to see if you have a password that goes with a known hash.

Why You Should Use Crypt() Instead

Since each crypt() call can use a unique encryption key, there can be no stored dictionary of password hashes.

Here’s an example. Try running this script to see how different salts or encryption keys can change the output of a crypt() call.

echo crypt("Bananas", 'ab') . '<br />';
echo crypt("Bananas", 'ed') . '<br />';
echo crypt("Bananas", 'pz') . '<br />';
echo crypt("Bananas", 'qp') . '<br />';

Output:
abBGdAR.aTnBE
edHaZeqWhmLpw
pzqz3tbQxuuRI
qp/4Jsj38Cq0Y

This illustrates the strength of crypt(). By using a different encryption key, the same password (“Bananas”) can be turned into many different hashes. You can’t simply create a lookup table with known passwords and known hashes – because the hash changes based on the encryption key.

The bottom line is that crypt() doesn’t make your passwords unbreakable or protect them from brute force attacks. If someone wants to take the time to check every possible permutation of characters to get to your password, they can do it.

But crypt() does prevent the use of a password dictionary that contains known passwords and known hashes. This would be a far more efficient way to hack a password than a simple brute force attack. So by using crypt() you’re getting an extra layer of security.

[Note: This article assumes you are using an md5 hash as the salt for crypt(). You could use an extended DES salt or a Blowfish salt for slightly different functionality, but these are not supported on all servers - including mine.]

Some systems generate these initially and have the user log in to set a permanent password. You might also have a “Reset” button, where the script generates a random password and e-mails it to the user.

This quick tutorial will show you how to create an 8 character random password containing a mix of letters and numbers. Or, if you’re impatient, jump straight to the function’s source code

There are plenty of ways to do this. The simplest method would be to take a random number, generate an md5 hash, and then use the first 8 characters as the password.

$password = md5( time() );
$password = substr($password, 0, 8);

But this doesn’t guarantee you an even mix of upper case letters, lower case letters, and numbers. To do that, we’ll need to use a few simple php functions and build a short script.

Build a Loop to Create Eight Characters

We’ll start our script by creating a blank string, looping eight times, and entering a character in the string each time.

$password = '';
for ($x = 0; $x < 8; $x++) {
   $password .= 'a';
}

This creates a blank string ($password) and iterates a loop eight times. At this point, the loop simply enters the letter ‘a’ into $password – so you end output should be ‘aaaaaaaa.’

Generate Random Characters

Now we need to generate random characters to go inside of the string. To do this, we can make use of the rand() and chr() functions. Replace the loop contents with this line.

$password = chr( rand(60, 95) );

chr() takes an integer and returns the ASCII equivalent of that number. In this case, we’re using rand() to get a number between 60 and 95 – so we should get an uppercase letter in return. Our random password should now contain eight random upper-case letters.

Randomly Enter Uppercase, Lowercase, and Numbers

To make the random password more secure, we should randomize whether the new character is a number, an upper-case letter, or a lower-case letter. We can execute a simple “switch” statement to randomly choose which type of character to enter.

Replace the loop contents with this new snippet.

switch ( rand(1, 3) ) {
 
   //  Add a random digit, 0-9
   case 1:
   $password .= rand(0, 9);
   break;
 
   //  Add a random upper-case letter
   case 2:
   $password .= chr( rand(65, 90) );
   break;
 
   //  Add a random lower-case letter
   case 3:
   $password  .= chr( rand(97, 122) );
   break;
}

We’re using rand(1, 3) to randomly choose which case to execute. Each case then enters a different type of character in the string. The first case simply returns a random digit. The second and third cases use chr() and rand() to return a random character.

At this point, the script should give you an eight-character password with a random mix of uppercase letters, lowercase letters, and numbers. Now you can e-mail the password to the user, take a hash of the password, and store it in the database.

For reference, here’s the entire script placed in a function.

function randPassword() {
   $password = '';
 
   for ($x = 1; $x <= 8; $x++) {
      switch ( rand(1, 3) ) {
 
      //  Add a random digit, 0-9
      case 1:
      $password .= rand(0, 9);
      break;
 
      //  Add a random upper-case letter
      case 2:
      $password .= chr( rand(65, 90) );
      break;
 
      //  Add a random lower-case letter
      case 3:
      $password  .= chr( rand(97, 122) );
      break;
      }
   }
 
   return $password;
}

There are a bunch of ways you could create and check passwords – from an insecure string in a database to an encrypted “hash” that you check against user input. This tutorial will show you how to use the crypt() function to store and check passwords in a php script.

What Does the Crypt() Function Do?

The crypt() function takes two parameters – the first parameter is the actual input (the password to test) and the second parameter is a “salt” or encryption key that is used to encrypt the password phrase.

Let’s take a look at what the crypt() function does with some input.

echo crypt("Gobble", "xt");

Would yield the output…

xt0iPj3UKFQSM

The function used the encryption key “xt” to turn “Gobble” into an encrypted mess. Now, a person looking through the database won’t be able to find out a person’s password. They’ll only find the encrypted password – which won’t work if you enter it into a script.

The Crypt() Function Stores the Encryption Key in the Output

There’s an important pattern here, though, that we can see if we look at a couple of crypt() calls in a row.

echo crypt("Gobble", "ab");
echo crypt("Gobble", "td");
echo crypt("Gobble", "pz");

Would yield the output…

ab30/okS7bRdo
tdylLlJ9zwOss
pz0u5z5fgyCK.

You can break each piece of output into two pieces – the first two characters and the last 11 characters.

The first two characters “ab,” “td,” and “pz” are the three “salts” or encryption keys that we used in our crypt() calls. The last 11 characters are the actual encrypted pass phrases.

This simple point is crucial to the functioning of crypt(). It stores the encryption key inside the encrypted phrase, so that you can use it to encrypt a new phrase – and compare them. If you use the encrypted phrase as your “salt” (the second parameter for crypt()), the function will isolate the encryption key and ignore the rest.

So this example would output “Passwords match!”

$password = "Gobble"; // User input
$salt = "ab"; // Encryption key
$encrypted = crypt($password, $salt);
if ( crypt($password, $encrypted) == 
    $encrypted) {
  echo "Passwords match!"; }

In this case we’re using the encrypted password ($encypt) to perform the encryption algorithm on the user’s input ($password) to see if they match. Normally, you would have $encrypted stored in the database to perform comparisons in your script.

Use an MD5 Hash Salt to Encrypt Phrases Over 8 Characters

The final thing to keep in mind about crypt() is that it can use different kinds of salts or encryption keys. The two-character salt we’ve been using is pretty weak. It also has a flaw in functionality – using a two-character encryption key, the crypt() function will ignore everything past the first 8 characters of the phrase to be encrypted.

So both of these statements would have the same output.

echo crypt("Gobbledeygook", "ab");
echo crypt("Gobbledeygah", "ab");

The crypt() function is only encrypting the first eight characters – “Gobblede”. The rest is ignored.

You can change this by using a special type of encryption key – a md5 hash. Under normal circumstances, this is enabled in php, but you can double check by seeing if the constant CRYPT_MD5 is set to ’1′.

An md5 hash salt is formatted like this – $1$xxxxxxxx$. “$1$”, followed by eight random characters, followed by a closing “$”. You could create one yourself to use as a salt.

However, in most cases if you provide no salt or encryption key at all, php will generate a random salt for you. So, for example, when you are entering a new password into the database you can use this statement…

$password = crypt("Gobble");

This variable ($password) can now be stored in the database. Remember that $password holds both the encrypted phrase (Gobble) and the random encryption key. So to check if a user entered the correct password you would fetch $password from the database and use this statement…

if ( crypt($userInput, $password) == $password)
{ //  Ok, the passwords matched }

Now that you know how crypt() works, get to it. Start creating user-authentication scripts and work your encryption magic.