PHP bcrypt Inconsistent Salt -

before begin: yes aware should use php's password_hash function when actually storing passwords. question internals of php's hashing system.

so messing around php's crypt function other day, , noticed odd behavior bcrypt.

$password = "totallyagoodpassword"; $salt = "hereisa22charactersalt";  $parameter = '$2y$10$' . $salt;  echo $parameter . php_eol; echo crypt($password, $parameter); 

according php's manual, code should hash "totallyagoodpassword" using bcrypt, salting "hereisa22charactersalt." output of hash should scheme ("$2y$10$"), followed 22 characters of salt, followed 31 characters of hash. therefore, should expect "$2y$10$hereisa22charactersalt" , 31 characters of random base64 characters.

so run code:

$2y$10$hereisa22charactersalt $2y$10$hereisa22charactersalev7uylkfhc.ruycp9eg4my7wwdmkgrvg 

and can't notice how salt passed crypt , salt came out aren't same; specifically, last character magically became "e." after running different salts, still same quirk last , last character of output hash different.

i'm not developer php, i'm sure there logic behind behaviour. i'm curious.

the docs not state output include entire 22 bytes of salt. example on crypt documentation shows final "$" on salt.

crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$')

producing:

$2a$07$usesomesillystringfore2udlvp1ii2e./u9c8sbjqp8i90dh6hi