I am reading up on PHP's crypt() function. I have a few questions on it -
What is the significance of the trailing '$' sign at the end of the salt string that I see in most examples. The manual doesn't specifically say anything about ending the salt string with it.
-
Is there anyway I can extract only the salt portion from the hash? I know that I probably don't need to, since the crypt() function will internally do it when doing a comparison. But just for the heck of it. Just for me to see the salt. For egs consider this code -
$pass = 'secret'; $salt = '$2y$07$usesomesillystringforsalt$'; echo crypt($pass, $salt);
The output of this is$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVOand I am unsure about the boundary between the salt and the hash. Is the 'e' in the 'forex' sub string part of the salt or the hash? It would be much easier if I could just extract the salt part of it. -
Also the crypt() manual says
... Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z"....
As per this I expect 22 characters after the $ sign following the cost parameter. But consider this code -
$pass = 'secret'; $salt = '$2y$07$somesillystring$'; echo crypt($pass, $salt);
The output of this is$2y$07$somesillystring$$$$$$.O6JLPmGlDvy4BicGmkuBD.DN8OYiIoG. My question is why is it padded only up to 21 characters following the $ sign after the cost parameter. I was expecting it to be padded up to 22 characters.
