php crypt function

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: DavidP.Schwartzdavids@desertigloo.com
Date:  
Subject: php crypt function
Interesting... The PHP info I've read simply says that crypt returns a hash of the string passed to it with the salt prepended. Nothing
I've seen says anything about limitations on the length of the string.

What I'm trying to accomplish is getting a unique hash from a string up to 60 characters in length, where the resulting hash is between
10 and 15 characters long. Given the same key, I need to be able to derive the same hash, but I want a reasonably low probablilty of
collisions over a large (10**6) sampling (eg., email addresses are unique per user, so a hash that includes their email address is
useful as a seed). md5 hashes are too long for my needs. Any ideas on what might work are welcome.

-David (the other one)

wrote:

> \_ I've noticed that the version of PHP I'm working with (php3) seems
> \_ to return a hash on only the first 10-14 characters of a string.
> I'm guessing it's actually on char 9+ [see below].
>
> \_ crypt curiously returns the same hash for matching HTTP_USER_AGENT strings,
> \_ even though the time() function returns different values (I tried it with
> \_ microtime() too, same result). The md5 hash is always different. It's my
> \_ understanding that crypt() is supposed to hash an entire string; am I
> \_ mistaken? Or is there perhaps something wacky with the installation I'm
> \_ working with?
>
> More than likely, the PHP engine is doing a straight call to the
> standard crypt() function.
>
> >From man crypt:
>
>        By taking the lowest 7 bit of each character of the key, a
>        56-bit  key  is  obtained.

>
> Quick math says 56/7 = 8 chars are important. [Hum, typo, prolly
> should be 'lowest 7 bit_s_'. :-]
>
> >From days of yore, passwords were up to 8 characters...everything else
> was cover for the fact that your 'password' was
> 'cleartext8324ashdfh823hfasdf' :-)
>
> Also, I don't believe DES is a) "secure" still (prolly unimportant in
> your case), or b) guaranteed unique.
>
> md5 is.
>
> AFAIK. YMMV. HTH. HAND.
>
> David
>