I am using the crypt function to store user passwords in the DB. The original password is crypted by himself to check it with the one from the DB (I know this is not good practice, but the situation is like that at the moment).
The problem is that:
crypt('qixin26428968123', 'qixin26428968123') === crypt('qixin26428968', 'qixin26428968')
So it seems that if for example the password is 123456 and the user tries to login with 123456abcde, the login will be successful, which means that the user can always login to the system with arbitrary choice of password as long as your first "n" bits are correct.
Is this a known issue? How to fix it, is there an option to specify for the crypt function?
Thank you.
From the manual
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
CRYPT_SHA512 uses 16 characters