Latest web development tutorials
 

PHP crypt() Function


< PHP String Reference

Definition and Usage

The crypt() function returns a hashed string using DES, Blowfish, or MD5 algorithms.

This function behaves different on different operating systems. PHP checks what algorithms are available and what algorithms to use when it is installed.

The salt parameter is optional. However, crypt() creates a weak password without the salt. Make sure to specify a strong enough salt for better security.

There are some constants that are used together with the crypt() function. The value of these constants are set by PHP when it is installed.

Constants:

  • [CRYPT_STD_DES] - Standard DES-based hash with two character salt from the alphabet "./0-9A-Za-z". Using invalid characters in the salt will cause this function to fail.
  • [CRYPT_EXT_DES] - Extended DES-based hash with a nine character salt consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt. These are encoded as printable characters, 6 bits per character, least significant character first. The values 0 to 63 are encoded as "./0-9A-Za-z". Using invalid characters in the salt will cause the function to fail.
  • [CRYPT_MD5] - MD5 hashing with a 12 character salt starting with $1$
  • [CRYPT_BLOWFISH] - Blowfish hashing with a salt starting with $2a$,  $2x$, or $2y$, a two digit cost parameters "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of the alphabet will cause this function to return a zero-length string. The "$" parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-bashed hashing algorithmeter and must be in range 04-31. Values outside this range will cause the function to fail.
  • [CRYPT_SHA_256] - SHA-256 hash with a 16 character salt starting with  $5$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.
  • [CRYPT_SHA_512] - SHA-512 hash with a 16 character salt starting with $6$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.

On systems where this function supports multiple algorithms, the constants above are set to "1" if supported and "0" otherwise.

Note: There is no decrypt function. The crypt() function uses a one-way algorithm.


Syntax

crypt(str,salt)

Parameter Description
str Required. Specifies the string to be hashed
salt Optional. A salt string to base the hashing on

Technical Details

Return Value: Returns the encoded string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure
PHP Version: 4+
Changelog: $2x$ and $2y$ Blowfish modes were added in PHP 5.3.7 to deal with potential high-bit attacks.

The constants SHA-256 and SHA-512 were added in PHP 5.3.2.

As of PHP 5.3.2, Blowfish behaviour on invalid rounds returns the "failure" string ("*0" or "*1"), instead of falling back to DES.

As of PHP 5.3.0, PHP contains its own implementation for the MD5 crypt, Standard DES, Extended DES and the Blowfish algorithms and will use that if the system lacks of support for one or more of the algorithms.

Example

Example 1

In this example we will test the different algorithms:

<?php
// 2 character salt
if (CRYPT_STD_DES == 1)
{
echo "Standard DES: ".crypt('something','st')."\n<br>";
}
else
{
echo "Standard DES not supported.\n<br>";
}

// 4 character salt
if (CRYPT_EXT_DES == 1)
{
echo "Extended DES: ".crypt('something','_S4..some')."\n<br>";
}
else
{
echo "Extended DES not supported.\n<br>";
}

// 12 character salt starting with $1$
if (CRYPT_MD5 == 1)
{
echo "MD5: ".crypt('something','$1$somethin$')."\n<br>";
}
else
{
echo "MD5 not supported.\n<br>";
}

// Salt starting with $2a$. The two digit cost parameter: 09. 22 characters
if (CRYPT_BLOWFISH == 1)
{
echo "Blowfish: ".crypt('something','$2a$09$anexamplestringforsalt$')."\n<br>";
}
else
{
echo "Blowfish DES not supported.\n<br>";
}

// 16 character salt starting with $5$. The default number of rounds is 5000.
if (CRYPT_SHA256 == 1)
{
echo "SHA-256: ".crypt('something','$5$rounds=5000$anexamplestringforsalt$')."\n<br>"; }
else
{
echo "SHA-256 not supported.\n<br>";
}

// 16 character salt starting with $5$. The default number of rounds is 5000.
if (CRYPT_SHA512 == 1)
{
echo "SHA-512: ".crypt('something','$6$rounds=5000$anexamplestringforsalt$');
}
else
{
echo "SHA-512 not supported.";
}
?>

The output of the code above could be (depending on the operating system):

Standard DES: stqAdD7zlbByI
Extended DES: _S4..someQXidlBpTUu6
MD5: $1$somethin$4NZKrUlY6r7K7.rdEOZ0w.
Blowfish: $2a$09$anexamplestringforsaleLouKejcjRlExmf1671qw3Khl49R3dfu
SHA-256: $5$rounds=5000$anexamplestringf$KIrctqsxo2wrPg5Ag/hs4jTi4PmoNKQUGWFXlVy9vu9
SHA-512: $6$rounds=5000$anexamplestringf$Oo0skOAdUFXkQxJpwzO05wgRHG0dhuaPBaOU/
oNbGpCEKlf/7oVM5wn6AN0w2vwUgA0O24oLzGQpp1XKI6LLQ0.


< PHP String Reference