Home/ Questions/Q 6355187
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T22:42:52+00:00

Normally if I have a password, I would use this pseudocode: $password = this

  • 0

Normally if I have a password, I would use this pseudocode:

$password = "this is the user's password";
/***/
$salt = GenerateSalt();
$hash = Hash($password);
$hash = Hash($hash . $salt);

However, as I understand it, PHP has a crypt() function which takes a salt as well as the number of iterations of a particular algorithm. Apparently you are.. supposed to pass the returned hash of crypt back into crypt as the salt. I do not understand this.

Can anyone please clarify how crypt works? Do I still need to append my own salt and rehash? In that case, would I just use a fixed salt for crypt, and then generate a separate crypt for each user? Or does crypt’s $salt parameter take care of that for me?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The output of crypt consists of:

    • (optionally an algorithm identifier + load factor)
    • the salt for the used algorithm
    • the real hash

    When you pass this output als “salt” back to crypt, it will extract the right algorithm and salt, and use these for the operation. If there is only an algorithm mentioned, it uses this one and generate random salt. Otherwise it will choose a default algorithm and generate random salt. The hash part in the passed salt parameter is ignored.

    So you can simply compare your stored_hash with crypt(password, stored_hash) – if it is equal, it quite likely was the right password.

    Here is an pseudocode explanation (in PHP-like syntax) how crypt works:

    function crypt($password, $salt)
{
  if (substr($salt,0 1) == "_") {
     $count = substr($salt, 1, 4);
     $real_salt = substr($salt, 5, 4);
     return "_" . $count . $real_salt . crypt_ext_des($password, $count, $salt);
  }
  if(substr($salt, 0, 3) == "$1$") {
     list($ignored, $real_salt, $ignored) = explode("$", $salt);
     return "$1$" . $real_salt . "$" . crypt_md5($password, $real_salt);
  }
  if(substr($salt, 0, 4) == "$2a$") {
      $cost = substr($salt, 4, 2);
      $real_salt = substr($salt, 7, 22);
      return "$2a$" . $cost . "$" . $real_salt . crypt_brypt($password, $real_salt, $cost);
  }
  // ... SHA256 and SHA512 analogons

  // no match => STD_DES
  $real_salt = substr($salt, 0, 2);
  return $real_salt . crypt_std_des($password, $real_salt);
}

    The individual crypt_xxx functions then do the real work, depending on the algorithm.
    (Actually, the generation of random salt is missing in this description. It will be done if the $real_salt is empty.)

    • 0