What is the output length of PHP crypt()?

what's the output length of PHP crypt()?

md5() output is 128 bits and produce a string with 32 chars, so in data base you put that in a char(32) column, what about the crypt()?

Note: It is totally limited to ask the question that way, see http://php.net/crypt

Some more details:

• On success the length of the returned string can vary between 13 and 123.
• The output length depends on the hash algorithm used. It remains undefined in your question.
• The output length depends on the salt passed to the function. It remains undefined in your question.
• crypt always returns the hashed string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure.

---

Examples:

Lets start lightly with a simple crypt call and a valid two-character salt for a standard DES-based hash:

 13 :: 2 (salt) + 11 (hash - 64 bits, base 64)

If you use PHP's crypt and specificly MD5 (here better named: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5; Hashcat mode 500) and an empty salt, the output length is:

 26 :: 3 (`$1$`) + 0 (empty salt) + 1 (`$`) + 22 (hash - 128 bits, base 64)

If on a system where PHP's crypt defaults to the said MD5 and it is called not specifying a salt, crypt will generate the salt. This salt is normally 8 characters long. The output length then is:

 34 :: 3 (`$1$`) + 8 (salt) + 1 (`$`) + 22 (hash)

In this case, your database table column char(32) would either report an error on insert or truncate - depending on which database server you are using.

But the MD5 example is moot, I picked it because you have it in your question, but you should not use MD5 with crypt (see: Md5crypt Password scrambler is no longer considered safe by author).

Instead lets take a look into Blowfish hashing (CRYPT_BLOWFISH). It has a two digit cost parameter and always a salt length of 22 (if a shorter salt is given, it is padded with $s):

 60 :: 4 (`$2y$`) + 3 (cost `$`) + 22 (salt) + 1 (`$`) + 53 (hash)

For the Blowfish crypt hash-algorithm (bcrypt, OpenBSD Blowfish; Hashcat mode 3200) there is a fixed length of 60 then.

As you can see the output length depends on the used hash-algorithm, the length of the salt and even some hash specific parameters like the cost.

If you for example opt of SHA512 with 999 999 999 rounds and a 16 byte long salt, the output length is:

123 :: 3 (`$6$`) + 17 (`rounds=999999999$`) + 16 (salt) + 1 (`$`) + 86 (hash)

This example is a little bit extreme maybe, just to show the picture.

---

Other crypt related questions:

• Alternative to crypt()
• Comparing passwords with crypt() in PHP
• Can you convert the output of php crypt() to valid MD5?