An oft-asked question – and oft-misunderstood – is what is the difference? Is one better than the other?

First, let’s take a quick look at how each one works.

How MD5 Works

MD5 creates a “hash” value based on an input string. It uses a one-way algorithm to turn the password into an unintelligible garble of words. Here’s a sample usage.

echo md5("Bananas");

Output:
1ee31b77d0697c36914b99d1428f7f32

This long string (32 characters) is the md5 hash value of “Bananas.” You can now store it in the database, and when a user wants to log in you compare md5($passwordInput) to this hash value.

Using Crypt to Encrypt a Password

Crypt has very similar functionality, but with a unique twist.

Crypt still encrypts a phrase in a one-way algorithm to create a garbled bunch of characters. Here’s an example…

echo crypt("Bananas");

Output:
$1$upPJosTV$HC4n2bUsQFZk2IDN1CLdg.

What’s unique about the crypt() function is that it uses an encryption key (or “salt”) to vary the encryption process. This means that you can encrypt the same password (“Bananas”) multiple times and get different hash values to store in your database.

Do I Have to Store the Encryption Key or Salt?

This is where the crypt() function gets a bit confusing. No, you don’t… because the encryption key is stored in the password itself.

Take another look at this output.

$1$upPJosTV$HC4n2bUsQFZk2IDN1CLdg.

The bold bit of text ($1$upPJosTV$) is the stored salt or encryption key (read how to use crypt() for more information on how this salt is created).

So, no. You don’t have to store the salt anywhere, because it’s stored in the hash’ed text. You can simply use that as the salt in the future to check if the password is correct. Like this…

if (crypt($passwordInput, $hashedPassword) == $hashedPassword) {
  //  Ok, log in and stuff.  }

Wait… My Encryption Key Is Stored IN the Password?!?

This is where most people think that crypt() is a waste of time. If the great thing about crypt() is that it uses a customizable encryption key, then isn’t it self-defeating to include the encryption key in the stored password?

Not entirely.

The problem with md5() is that everyone knows the encryption algorithm. Sure, you can’t go backwards… but you can easily build a dictionary of known passwords and known hashes. By storing these in a database, it is feasible to do a simple dictionary check to see if you have a password that goes with a known hash.

Why You Should Use Crypt() Instead

Since each crypt() call can use a unique encryption key, there can be no stored dictionary of password hashes.

Here’s an example. Try running this script to see how different salts or encryption keys can change the output of a crypt() call.

echo crypt("Bananas", 'ab') . '<br />';
echo crypt("Bananas", 'ed') . '<br />';
echo crypt("Bananas", 'pz') . '<br />';
echo crypt("Bananas", 'qp') . '<br />';

Output:
abBGdAR.aTnBE
edHaZeqWhmLpw
pzqz3tbQxuuRI
qp/4Jsj38Cq0Y

This illustrates the strength of crypt(). By using a different encryption key, the same password (“Bananas”) can be turned into many different hashes. You can’t simply create a lookup table with known passwords and known hashes – because the hash changes based on the encryption key.

The bottom line is that crypt() doesn’t make your passwords unbreakable or protect them from brute force attacks. If someone wants to take the time to check every possible permutation of characters to get to your password, they can do it.

But crypt() does prevent the use of a password dictionary that contains known passwords and known hashes. This would be a far more efficient way to hack a password than a simple brute force attack. So by using crypt() you’re getting an extra layer of security.

[Note: This article assumes you are using an md5 hash as the salt for crypt(). You could use an extended DES salt or a Blowfish salt for slightly different functionality, but these are not supported on all servers - including mine.]

Some systems generate these initially and have the user log in to set a permanent password. You might also have a “Reset” button, where the script generates a random password and e-mails it to the user.

This quick tutorial will show you how to create an 8 character random password containing a mix of letters and numbers. Or, if you’re impatient, jump straight to the function’s source code

There are plenty of ways to do this. The simplest method would be to take a random number, generate an md5 hash, and then use the first 8 characters as the password.

$password = md5( time() );
$password = substr($password, 0, 8);

But this doesn’t guarantee you an even mix of upper case letters, lower case letters, and numbers. To do that, we’ll need to use a few simple php functions and build a short script.

Build a Loop to Create Eight Characters

We’ll start our script by creating a blank string, looping eight times, and entering a character in the string each time.

$password = '';
for ($x = 0; $x < 8; $x++) {
   $password .= 'a';
}

This creates a blank string ($password) and iterates a loop eight times. At this point, the loop simply enters the letter ‘a’ into $password – so you end output should be ‘aaaaaaaa.’

Generate Random Characters

Now we need to generate random characters to go inside of the string. To do this, we can make use of the rand() and chr() functions. Replace the loop contents with this line.

$password = chr( rand(60, 95) );

chr() takes an integer and returns the ASCII equivalent of that number. In this case, we’re using rand() to get a number between 60 and 95 – so we should get an uppercase letter in return. Our random password should now contain eight random upper-case letters.

Randomly Enter Uppercase, Lowercase, and Numbers

To make the random password more secure, we should randomize whether the new character is a number, an upper-case letter, or a lower-case letter. We can execute a simple “switch” statement to randomly choose which type of character to enter.

Replace the loop contents with this new snippet.

switch ( rand(1, 3) ) {
 
   //  Add a random digit, 0-9
   case 1:
   $password .= rand(0, 9);
   break;
 
   //  Add a random upper-case letter
   case 2:
   $password .= chr( rand(65, 90) );
   break;
 
   //  Add a random lower-case letter
   case 3:
   $password  .= chr( rand(97, 122) );
   break;
}

We’re using rand(1, 3) to randomly choose which case to execute. Each case then enters a different type of character in the string. The first case simply returns a random digit. The second and third cases use chr() and rand() to return a random character.

At this point, the script should give you an eight-character password with a random mix of uppercase letters, lowercase letters, and numbers. Now you can e-mail the password to the user, take a hash of the password, and store it in the database.

For reference, here’s the entire script placed in a function.

function randPassword() {
   $password = '';
 
   for ($x = 1; $x <= 8; $x++) {
      switch ( rand(1, 3) ) {
 
      //  Add a random digit, 0-9
      case 1:
      $password .= rand(0, 9);
      break;
 
      //  Add a random upper-case letter
      case 2:
      $password .= chr( rand(65, 90) );
      break;
 
      //  Add a random lower-case letter
      case 3:
      $password  .= chr( rand(97, 122) );
      break;
      }
   }
 
   return $password;
}