String Functions

PHP crypt() Function

Topic: PHP String ReferencePrev|Next

Description

The crypt() function encrypts a string using one-way encryption.

This function takes a string to encrypt and a salt. The salt parameter is optional. However, crypt() creates a weak hash without the salt. So make sure to specify a strong enough salt for better security.

This function encrypts a string using the standard Unix DES-based algorithm. But, alternative hashing algorithms such as MD5 or Blowfish may also be used depending on the operating system.

On operating systems where the crypt() function supports multiple hash types, the following constants are set to 0 or 1 depending on whether the given type is available:

  • CRYPT_STD_DES – Standard DES-based hash with a two character salt from the alphabet "./0-9A-Za-z". Using invalid characters in the salt will cause this function to fail.
  • CRYPT_EXT_DES – Extended DES-based hash with a nine character salt consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt. These are encoded as printable characters, 6 bits per character, least significant character first. The values 0 to 63 are encoded as "./0-9A-Za-z". Using invalid characters in the salt will cause this function to fail.
  • CRYPT_MD5 – MD5 hashing with a twelve character salt starting with $1$
  • CRYPT_BLOWFISH – Blowfish hashing with a salt starting with $2a$, $2x$ or $2y$, a two digit cost parameter, $, and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause this function to fail.
  • CRYPT_SHA256 – SHA-256 hash with a sixteen character salt starting with $5$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.
  • CRYPT_SHA512 – SHA-512 hash with a sixteen character salt starting with $6$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.

The following table summarizes the technical details of this function.

Return Value: Returns the hashed string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure.
Version: PHP 4+

Note: Data encrypted with the crypt() function cannot be decrypted. This function is generally used to encrypt a password that is saved for user's authentication purposes. At the time of login the password entered by the user is encrypted and compared against the previously encrypted password to check whether they match or not.


Syntax

The basic syntax of the crypt() function is given with:

crypt(string, salt);

The following example shows the crypt() function in action.

<?php
// Set the password
$password = 'veryweekpassword';

// Getting the hash, let the salt be automatically generated
$hashed_password = crypt($password);

// User entered password
$user_input = 'differentpassword';

// Verifying the passwords
if(hash_equals($hashed_password, crypt($user_input, $hashed_password))) {
   echo "Password match!";
} else {
    echo "Password did not match!";
}
?>

Note: You should pass the entire results of crypt() as the salt for comparing a password, to avoid problems when different hashing algorithms are used. As standard DES-based password hashing uses a 2-character salt, whereas MD5-based hashing uses 12-character salt.

Tip: The password_hash() function uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. It is recommended to use password_hash() instead.


Parameters

The crypt() function accepts the following parameters.

Parameter Description
string Required. Specifies the string to be hashed.
salt Optional. Specifies a salt string to base the hashing on.

More Examples

Here're some more examples showing how crypt() function actually works:

The following example demonstrates the use of this function with different hash types.

Also, the salts used in the examples are for demonstration purposes only. You should always generate a distinct, correctly-formatted salt for each password.

<?php
// 2 character salt
if(CRYPT_STD_DES == 1) {
    echo 'Standard DES: ' . crypt('veryweekpassword', 'mj')."<br>";
}

// 9 character salt starting with underscore
if(CRYPT_EXT_DES == 1) {
    echo 'Extended DES: ' . crypt('veryweekpassword', '_R9..some')."<br>";
}

// 12 character salt starting with $1$
if(CRYPT_MD5 == 1) {
    echo 'MD5: ' . crypt('veryweekpassword', '$1$sillystr$')."<br>";
}

// Salt starting with $2a$, followed by two digit cost parameter 10
if(CRYPT_BLOWFISH == 1) {
    echo 'Blowfish: ' . crypt('veryweekpassword', '$2a$10$usesomesillystringforsalt$')."<br>";
}

// 16 character salt starting with $5$. The default number of rounds is 5000
if(CRYPT_SHA256 == 1) {
    echo 'SHA-256: ' . crypt('veryweekpassword', '$5$rounds=5000$usesomesillystringforsalt$')."<br>";
}

// 16 character salt starting with $6$. The default number of rounds is 5000
if(CRYPT_SHA512 == 1) {
    echo 'SHA-512: ' . crypt('veryweekpassword', '$6$rounds=5000$usesomesillystringforsalt$');
}
?>

The output of the above example will look something like this:

Standard DES: mjkg7W9MIGLBk
Extended DES: _R9..someX2hbRcR/P46
MD5: $1$sillystr$z0gQGUVSrSbHpcUvF6IvK0
Blowfish: $2a$10$usesomesillystringforez1bDU9TKqvZj.Jlt6Zaw1sTDI55aZsy
SHA-256: $5$rounds=5000$usesomesillystri$HLhfmfXPbeEc3e5CGa.1kHDJ/XLsXoVRXIRS/zUxsl7
SHA-512: $6$rounds=5000$usesomesillystri$nziff29rkNd/Gw8XUi8Ht2.nsxGPiDkBtQ9JYZ4UKMdLyo5lDqCi4lWJxZmw5jKYvWwjLX7WMemTbIS0rSA7l/
Bootstrap UI Design Templates Property Marvels - A Leading Real Estate Portal for Premium Properties