\_ I've noticed that the version of PHP I'm working with (php3) seems
\_ to return a hash on only the first 10-14 characters of a string.
I'm guessing it's actually on char 9+ [see below].  

\_ crypt curiously returns the same hash for matching HTTP_USER_AGENT strings,
\_ even though the time() function returns different values (I tried it with
\_ microtime() too, same result).  The md5 hash is always different.  It's my
\_ understanding that crypt() is supposed to hash an entire string; am I
\_ mistaken?  Or is there perhaps something wacky with the installation I'm
\_ working with?

More than likely, the PHP engine is doing a straight call to the
standard crypt() function.

From man crypt:

       By taking the lowest 7 bit of each character of the key, a
       56-bit  key  is  obtained.

Quick math says 56/7 = 8 chars are important.  [Hum, typo, prolly
should be 'lowest 7 bit_s_'.  :-]

From days of yore, passwords were up to 8 characters...everything else
was cover for the fact that your 'password' was
'cleartext8324ashdfh823hfasdf'  :-)

Also, I don't believe DES is a) "secure" still (prolly unimportant in
your case), or b) guaranteed unique.

md5 is.

AFAIK. YMMV. HTH.  HAND.

David