crypt

Is it possible to compare two crypt Docs -ed strings and see if they match? A user logs in, a session is created storing the user's ID and its corresponding crypt -ed password hash. In the background a check keeps running to see if the session (read, password) is still valid. So technically I want to compare the crypt -ed password in the database with the crypted password in the session. Is this possible? EDIT: Should've said I was using the following method to crypt a password; function better_crypt($input, $rounds = 7) { $salt = ""; $salt_chars = array_merge(range('A','Z'), range('a','z'),

I'm currently implementing a login system. I want to store the password and the salt in a database. Now I found out that there is a hash() and a crypt() function which seems to do the same (valid for SHA512). hash() is newer and seems to support more hashing alogrithms than crypt() . Or there any other differences I should know/care about? Edit: function generatePasswordHash($password){ $salt = base64_encode(mcrypt_create_iv(8)); $calculatedPasswordHash = crypt($password, '$1$' . $salt . '$'); return $calculatedPasswordHash; } The result looks like $1$Qh6ByGJ9$zLn3yq62egvmc9D7SzA2u. Here my

I have read the information provided on the PHP Manual Entry for crypt() , but I find myself still unsure of the format for a salt to trigger the Blowfish algorithm. According manual entry, I should use '$2$' or '$2a$' as the start of a 16 character string. However, in the example given later, they use a much longer string: ' $2a$07$usesomesillystringforsalt$ ', which indicates to me that whatever string I provide will be sliced and diced to fit the model. The problem I am encountering is actually triggering the Blowfish algo vs STD_DES . Example: $foo = 'foo'; $salt = '$2a$' . hash('whirlpool

I am having a bit little bit of trouble understanding php's crypt function. My PHP version is 5.4.7. I want to use crypt to store salted passwords in the database, because as far as I am told, developers who use md5 to hash passwords are to be staked and burned on the spot. I wanted to use the blowfish alg to generate the hash. Now, according to the php documentation, crypt uses blowfish if you call it with "$2y$" + cost (for instance: "08") + "$" + 22 characters salt ( ./0-9A-Za-z ). However, the output of this little bit of test code is confusing me: echo "<pre>"; if (CRYPT_BLOWFISH == 1) {

This question has to do with PHP's implementation of crypt() . For this question, the first 7 characters of the salt are not counted, so a salt ' $2a$07$a ' would be said to have a length of 1, as it is only 1 character of salt and seven characters of meta-data. When using salt strings longer than 22 characters, there is no change in the hash generated (i.e., truncation), and when using strings shorter than 21 characters the salt will automatically be padded (with ' $ ' characters, apparently); this is fairly straightforward. However, if given a salt 20 characters and a salt 21 characters,