English
English
The crypt() function in PHP is a core function for encrypting strings (usually passwords). It is based on the underlying encryption algorithm of the system and hash the input string to achieve secure storage and verification of passwords. Although the basic usage and purpose of the crypt() function are consistent across PHP versions, there are some important differences in its internal implementation and supported algorithms as the PHP and operating system versions change. These differences directly affect password security and application compatibility, and understanding them is essential for developing secure and stable applications.
crypt() accepts two parameters:
$hashed_password = crypt($password, $salt);
$password is a plaintext password or any string;
$salt is used to control the salt value of the encryption algorithm. Different formats determine the choice of the encryption algorithm.
The return value is a string that has been encrypted. When verifying the password, the same salt will be used to re-encrypt the password to compare whether the results are consistent.
Early PHP versions (PHP 4.x, PHP 5.2 and before)
Only standard DES encryption provided by the system (based on 56-bit keys, salt is 2 characters), with low security.
If the provided salt format is incorrect, crypt() will degenerate to using DES encryption.
PHP 5.3 and beyond
Start supporting more modern encryption algorithms such as MD5 (salt format starts with $1$ ),
Blowfish is also supported (salt format starts with $2a$ or $2y$ , depending on the PHP version),
Algorithms such as SHA-256 ( $5$ ) and SHA-512 ( $6$ ) are provided that the operating system's libc library supports.
PHP 7.x
Continue to improve Blowfish support and fix some security vulnerabilities in history (such as the impact of $2a$ )
PHP 7.3 later introduced the $2y$ tag, a safer version of Blowfish.
The support for different systems is higher and more algorithms are supported.
PHP 8.x
Maintain support for the above algorithms and pay attention to security and compatibility.
It is recommended to use PHP's native password hash functions password_hash() and password_verify() , but crypt() is still available.
The crypt() function actually relies on the operating system's libc library (such as GNU libc, BSD libc) to complete the encryption operation, so:
The supported algorithms may not be completely consistent for the same PHP version on different operating systems (Linux, FreeBSD, Windows).
crypt() support on Windows is very limited, and usually only supports traditional DES encryption.
Linux usually supports multiple algorithms, depending on the libc version.
There is a huge gap in security between different encryption algorithms. Early DES encryption algorithms were easily cracked and should no longer be used in production environments. PHP versions and operating systems that support modern algorithms (such as Blowfish, SHA-512) can greatly improve the security of password storage.
If the application depends on crypt() and does not specify the salt format explicitly, password verification failure may occur when upgrading the PHP version or migrating the operating system.
For example, the old system is only encrypted with DES and becomes SHA-512 after migration, resulting in the new system being unable to correctly verify the old password.
Therefore, it is recommended to specify the salt format explicitly in the application, or to adopt a more modern password processing interface.
PHP official introduced password_hash() and password_verify() in version 5.5, encapsulating the details of password encryption and verification:
$hash = password_hash($password, PASSWORD_DEFAULT); // Used by default bcrypt
if (password_verify($password, $hash)) {
echo "Password verification succeeded";
}
This interface has good compatibility and high security, and can automatically select the safest algorithm.
Avoid the complexity and compatibility issues of using crypt() directly.
In future versions, this solution is recommended instead of calling crypt() directly.
The following example shows how to call crypt() with different salts and illustrates the differences in encryption results:
