crypt length

Re: crypt length

Paul Fournier wrote:
[color=blue]
> Just wondering, does anyone know if the crypt() function in PHP will always
> return a 34 character string if not salted? I want to encrypt my user's
> passwords into a database and I want to make sure I give the right length. I
> have tried some tests on both windows platform and FreeBSD and it seems to
> be consistent.
>[/color]

I can't answer your question on crypt() but I use md5() or sha1() and
they both return 32 and 40 characters length guaranteed everytime. They
generate hashes and thus cannot be decrypted but they are considered to
be unique.

I'd recommend md5() or sha1() ove rcrypt in part because I believe they
are compiled in the standard version of PHP and require no external
libraries that crypt() might require.

To test for a password, you store the encrypted version of the password
in your database or wahtever.

Then, when a user wants to gain access to the system, and they enter
their password, you re-hash their password and search for it in your
database - Both hashes should equal if they were entered exactly the
same (hashes can differ hugely ven if a capital letter or space is out
of place).

Does this help you any?

randelld

Re: crypt length

Yes it does randelld,

thanks for the tip. I'll look into it. It seems that md5 and sha1 both
use the same mechanism for validation that crypt uses so it'll be easy to
switch between all three if I wrap it up in an abstraction function.

--
::Paul Fournier::
::Programmer/Analyst::
::Center for the Digital Arts::
::1455, boul. de Maisonneuve O., VA 03-1::
::Montreal, Quebec. H3G 1M8::
::Tel.848-2424 ext 4322, Cell.576-6451, Fax.848-4599::
"Reply Via Newsgroup" <reply-to-newsgroup@pleas e.com> wrote in message
news:oix4c.7896 36$X%5.464697@p d7tw2no...[color=blue]
> Paul Fournier wrote:
>[color=green]
> > Just wondering, does anyone know if the crypt() function in PHP will[/color][/color]
always[color=blue][color=green]
> > return a 34 character string if not salted? I want to encrypt my user's
> > passwords into a database and I want to make sure I give the right[/color][/color]
length. I[color=blue][color=green]
> > have tried some tests on both windows platform and FreeBSD and it seems[/color][/color]
to[color=blue][color=green]
> > be consistent.
> >[/color]
>
> I can't answer your question on crypt() but I use md5() or sha1() and
> they both return 32 and 40 characters length guaranteed everytime. They
> generate hashes and thus cannot be decrypted but they are considered to
> be unique.
>
> I'd recommend md5() or sha1() ove rcrypt in part because I believe they
> are compiled in the standard version of PHP and require no external
> libraries that crypt() might require.
>
> To test for a password, you store the encrypted version of the password
> in your database or wahtever.
>
> Then, when a user wants to gain access to the system, and they enter
> their password, you re-hash their password and search for it in your
> database - Both hashes should equal if they were entered exactly the
> same (hashes can differ hugely ven if a capital letter or space is out
> of place).
>
> Does this help you any?
>
> randelld[/color]