Edit report at https://bugs.php.net/bug.php?id=62134&edit=1
ID: 62134 Comment by: smt837784 at yahoo dot com Reported by: sebastian dot pleschko at icans-gmbh dot com Summary: Bcrypt Password Hashing ingores last salt character Status: Open Type: Bug Package: hash related Operating System: Ubuntu 12.04 PHP Version: 5.3.13 Block user comment: N Private report: N New Comment: *** This is not a bug and the status should be changed *** The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs "A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is going to be one of the following characters ".Oeu". So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then "==" is removed. Previous Comments: ------------------------------------------------------------------------ [2012-05-24 08:52:12] sebastian dot pleschko at icans-gmbh dot com Description: ------------ The documentation states, that the salt for bcrypt hashing requires 22 characters. You do actually need to provide 22 Characters, however the last character is (partially) ignored and not appended to the salt in the encrypted password. It seems that it is not a complete ingorance, however. Apparently the characters a-e produce the same results, as do the characters f-z and A-Z. This doesn't seem right.... Test script: --------------- // More than 22 Characters will be trimmed echo crypt('Test','$2a$09$alongstringwithmanycharacters'); // $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W // 21 Characters -> Error echo crypt('Test','$2a$09$alongstringwithmanych'); // *0 // 22 Characters -> Works, notice how the last char isn't shown in the pw echo crypt('Test','$2a$09$alongstringwithmanycha'); // $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W // 22 Characters -> Different salt, same result! The last char is required but ignored echo crypt('Test','$2a$09$alongstringwithmanychb'); // $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62134&edit=1