Why does PHP crypt function use DES encryption algorithm?

Given that the rule of thumb is to store salted hashes of the password string, not the encrypted form of it, why does the PHP crypt() function use the DES-based algorithms? Isn't DES an encryption algorithm? The manual says

... crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system ...

What I understand from here is that crypt() only uses the algorithm as implemented by the system. And surely DES is implemented as an encryption algorithm rather than a custom hashing algorithm for crypt.

PS - I know that DES was way back in the past and nobody should use it anymore.

Answers


The idea of DES-based password hashing is, basically, to encrypt a block of zeroes with the password and passed salt for some number of rounds. Any half-decent encryption makes key recovery hard even in the face of known plaintext, so that’s why it’s possible to make strong password hashes out of encryption functions.

I think the PHP default is compatible with this scheme.


Need Your Help

Breeze entities with typescript

knockout.js typescript breeze single-page-application

I'm using Breeze + Typescript + Knockout for a Spa, and I'm facing the following problem:

How to inherit java classes in a Ruby on Rails environment

ruby-on-rails xml json api java-api

Background: I have a Java application that many programming clients interface with. Recently, a few clients wanted me to develop an API to allow them to inherit my application's Java classes in their