You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Passwords/php-hashes/README.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# PHP magic hashes
2
2
3
-
PHP has some unique features which makes hash collisions more easier when using the `==` to compare.
3
+
PHP has some unique features which makes hash "collisions" more easier when using the `==` to compare.
4
4
5
5
The raw text are taken directly from [spaze/hashes](https://github.com/spaze/hashes/)
6
6
@@ -10,9 +10,9 @@ The raw text are taken directly from [spaze/hashes](https://github.com/spaze/has
10
10
11
11
Any strings that starts with any numbers of `0`, followed by `e` then ends with only numbers will be treated as zero. An example of such strings are `0e123456` and `00e123456`. [Example code](https://3v4l.org/n8iOp)
12
12
13
-
This behavior can be extended to numbers, like `'0' == '000`. [Example code](https://3v4l.org/K9QRb)
13
+
This behavior can be extended to numbers, like `'0' == '000'`. [Example code](https://3v4l.org/K9QRb)
14
14
15
-
With loose comparison, these two example strings will equate to each other as both of them are treated as a zero in the backend.
15
+
With loose comparison`==`, these two example strings will equate to each other as both of them are treated as a zero in the backend.
16
16
17
17
Sometimes, hashes of specific strings will result in those special strings as an result. Those hashes are called `magic hashes`
18
18
@@ -40,8 +40,10 @@ Descrypt have similar behavior to bcrypt, but passwords are instead truncated to
40
40
41
41
<!--- Modified from https://github.com/spaze/hashes?tab%253Dreadme-ov-file#pbkdf2-hmac-sha1-pbkdf2-hmac-sha224-pbkdf2-hmac-sha256-->
42
42
43
+
These are a different kind of magic hashes, they don't need the loose comparison operator `==` and work even with strict comparison `===`.
44
+
43
45
If you use a password longer than 64 bytes and hash it with PBKDF2-HMAC-SHA1, it is first pre-hashed with SHA1.
44
46
45
47
For example, `PBKDF2-HMAC-SHA1(password1) === PBKDF2-HMAC-SHA1(password2)` as `sha1(password1) === bin2hex(password2)`.
46
48
47
-
This behavior can also be seen in `PBKDF2-HMAC-SHA224` and `PBKDF2-HMAC-SHA256`.
49
+
This behavior can also be seen in `PBKDF2-HMAC-SHA224` and `PBKDF2-HMAC-SHA256`.
0 commit comments