Not Sure That I'm Using crypt() Properly

When using crypt for generating a password has using sha512, I’m not sure if there is a bug somewhere, I’m not doing it quite right or it’s actually correct. An example has I get is:


The way I’m using crypt at the moment is:


I can’t see any bugs listed, the


Just doesn’t seem to sit right. The salt I’m using is a 70 character alphanumeric string and the PHP version I’m using is 5.4.3 (Wamp server). Has anyone else had a similar start to their sha512 hash when using crypt() ?


I don’t know why you actually see this as something inappropriate? The fact that the cost is presented in plain text? The same thing happens with BLOWFISH except there is no “rounds=” string. I admit this is strange as the characters are redundant and use up space for no reason. The same happens on my 5.3.23 installation, I have no idea why the output is made to look like this.

However, I can see there are some errors in how you use crypt. First, $6 shouldn’t be repeated and the string should not end with $:

$password=crypt($password, '$6$rounds=5000$'.$salt);

And second, the salt can be maximum 16 characters long, anything more is ignored.

Edit: Examples in PHP docs show an ending $ after the salt, however this is not mentioned in the actual explanation for each algorithm on the crypt page and I find it is actually optional.

Can you provide a link to where you found that? I just find that interesting and it isn’t on the crypt page itself… :slight_smile:

It is the crypt page itself:

CRYPT_SHA512 - SHA-512 hash with a sixteen character salt prefixed with $6$. […]


I read that 4 times earlier and never caught that! Thanks :slight_smile: