Bug #62134 [Com]: Bcrypt Password Hashing ingores last salt character

Sun, 01 Jul 2012 22:12:43 -0700 

Edit report at https://bugs.php.net/bug.php?id=62134&edit=1

 ID:                 62134
 Comment by:         smt837784 at yahoo dot com
 Reported by:        sebastian dot pleschko at icans-gmbh dot com
 Summary:            Bcrypt Password Hashing ingores last salt character
 Status:             Open
 Type:               Bug
 Package:            hash related
 Operating System:   Ubuntu 12.04
 PHP Version:        5.3.13
 Block user comment: N
 Private report:     N

 New Comment:

*** This is not a bug and the status should be changed ***

The salt is a 128 bit value in base64 (using these characters "./A-Za-z0-9" vs 
"A-Za-z0-9+/") which means the last character in the salt is only 2 bits and is 
going to be one of the following characters ".Oeu".

So "alongstringwithmanycharacters" is actually "alongstringwithmanychO==" then 
"==" is removed.


Previous Comments:
------------------------------------------------------------------------
[2012-05-24 08:52:12] sebastian dot pleschko at icans-gmbh dot com

Description:
------------
The documentation states, that the salt for bcrypt hashing requires 22 
characters. You do actually need to provide 22 Characters, however the last 
character is (partially) ignored and not appended to the salt in the encrypted 
password.

It seems that it is not a complete ingorance, however. Apparently the 
characters 
a-e produce the same results, as do the characters f-z and A-Z. 

This doesn't seem right.... 



Test script:
---------------
// More than 22 Characters will be trimmed
echo crypt('Test','$2a$09$alongstringwithmanycharacters');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W


// 21 Characters -> Error
echo crypt('Test','$2a$09$alongstringwithmanych');
// *0

// 22 Characters -> Works, notice how the last char isn't shown in the pw
echo crypt('Test','$2a$09$alongstringwithmanycha');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W

// 22 Characters -> Different salt, same result! The last char is required but  
ignored
echo crypt('Test','$2a$09$alongstringwithmanychb');
// $2a$09$alongstringwithmanychOw5ylWHc1konZ7sxrgs2HrhMWZdgvW0W






------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62134&edit=1

Reply via email to