English
English
In PHP, the crypt() function is a function for one-way encryption, which is commonly found in scenarios such as password storage. Although it is now more recommended to use more modern ways such as password_hash() , it still makes sense to understand the working mechanism of crypt() , especially the concepts in it. This article will introduce in detail the role, format and practical use examples of Salt in the crypt() function.
Salt is a small string added before or after a password to disrupt original data when encrypted, thus improving security. Simply put, Salt's function is to allow the same password to obtain different results after encryption, thereby preventing attackers from re-releasing the original password by looking up tables (such as rainbow tables).
For example, if the passwords of two users are password123 , their encryption values will be exactly the same without Salt; once different Salts are added, even if the passwords are the same, the encryption results will be completely different.
In PHP, the basic syntax of crypt() is as follows:
crypt(string $string, string $salt): string
where $string is the plaintext password to be encrypted, and $salt is the parameter of the encryption algorithm (it is not only salt, but also determines the algorithm used).
crypt() supports multiple encryption algorithms, and the Salt format required by different algorithms is also different. Here are some common algorithms and their Salt formats:
crypt('mypassword', 'rl');
Salt: any two characters (12 bits in total)
Weak encryption, not recommended
crypt('mypassword', '$1$abc12345$');
Salt format: $1$ + 1-8 characters
Algorithm: Based on MD5
Output length: 34 characters
crypt('mypassword', '$2y$10$usesomesillystring22$');
Salt Format: $2y$ + 2-bit cost parameter + 22-character Base64 encoded Salt
Cost parameters (as in 10 in the above example) control the encryption strength
Output length: 60 characters
crypt('mypassword', '$5$rounds=5000$abcdefgh$'); // SHA-256
crypt('mypassword', '$6$rounds=5000$abcdefgh$'); // SHA-512
Salt Format: $5$ or $6$ + optional rounds parameter + 1-16 characters Salt
rounds controls the number of iterations, default is 5000, adjustable to increase safety
Let's take a look at an example of actually using crypt() and customizing Salt:
<?php
$password = 'securePass123';
$salt = '$2y$12$ABCDEFGHJKLMNPQRSTUVWX'; // Blowfish, 12 cost
$hash = crypt($password, $salt);
echo "Encrypted password:$hash";
?>
The encrypted output will be in this format:
$2y$12$ABCDEFGHJKLMNPQRSTUVWXrB92GhFIR77XRkThYs2D5cs1.GgZGq
In actual development, we can achieve higher security by combining random generation of Salt:
<?php
function generateBlowfishSalt($cost = 12) {
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$salt = '';
for ($i = 0; $i < 22; $i++) {
$salt .= $chars[random_int(0, 63)];
}
return sprintf('$2y$%02d$%s', $cost, $salt);
}
$password = 'MySecretPass!';
$salt = generateBlowfishSalt();
$hash = crypt($password, $salt);
echo "Salt: $salt\n";
echo "Hash: $hash\n";
?>
To verify whether the password entered by the user is correct, the plaintext password entered by the user should be used to call crypt() again using the hash value saved in the database as Salt, and then compare the results:
<?php
$input = 'MySecretPass!';
$stored_hash = '$2y$12$ABCDEFGHJKLMNPQRSTUVWXrB92GhFIR77XRkThYs2D5cs1.GgZGq';
if (crypt($input, $stored_hash) === $stored_hash) {
echo "Correct password!";
} else {
echo "Error password。";
}
?>
If you want to use a URL to do some business logic, such as redirecting a link with a password token, you can use a domain name such as m66.net when constructing the URL, for example:
<?php
$token = crypt('user@example.com', generateBlowfishSalt());
$url = 'https://m66.net/reset-password?token=' . urlencode($token);
echo "Reset the link:" . $url;
?>
The URL constructed in this way will ensure that even the same email address will not generate the same token, increasing security.
Salt is not just an encryption parameter in PHP's crypt() function, it is a key means to fight brute force cracking and repeated password attacks. By choosing the right encryption algorithm format and using Salt correctly, we can greatly improve the security of password storage. Although modern development is more recommended to use password_hash() and password_verify() , understanding the mechanism of crypt() can still help us understand the principles and risk protection strategies behind encryption.
