Returns the hashed string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure.

crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system.

Some operating systems support more than one type of hash. In fact, sometimes the standard DES-based algorithm is replaced by an MD5-based algorithm. The hash type is triggered by the salt argument. Prior to 5.3, PHP would determine the available algorithms at install-time based on the system's crypt(). If no salt is provided, PHP will auto-generate either a standard two character (DES) salt, or a twelve character (MD5), depending on the availability of MD5 crypt(). PHP sets a constant named CRYPT_SALT_LENGTH which indicates the longest valid salt allowed by the available hashes.

read more : http://php.net/crypt

As you can see in the documentation, the '''crypt()''' function is used with various different hashing algorithms. So the length can be different and is dependent on the default hashing algorithm that can is determined by the constants described in the documentation.

Note: It is totally limited to ask the question that way, see http://php.net/crypt

Some more details:

• On success the length of the returned string can vary between 13 and 123.
• The output length depends on the hash algorithm used. It remains undefined in your question.
• The output length depends on the salt passed to the function. It remains undefined in your question.
• crypt always returns the hashed string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure.

Examples:

Lets start lightly with a simple crypt call and a valid two-character salt for a standard DES-based hash:

 13 :: 2 (salt) + 11 (hash - 64 bits, base 64)

If you use PHP's crypt and specificly MD5 (here better named: md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5; Hashcat mode 500) and an empty salt, the output length is:

 26 :: 3 (`$1$`) + 0 (empty salt) + 1 (`$`) + 22 (hash - 128 bits, base 64)

If on a system where PHP's crypt defaults to the said MD5 and it is called not specifying a salt, crypt will generate the salt. This salt is normally 8 characters long. The output length then is:

 34 :: 3 (`$1$`) + 8 (salt) + 1 (`$`) + 22 (hash)

In this case, your database table column char(32) would either report an error on insert or truncate - depending on which database server you are using.

But the MD5 example is moot, I picked it because you have it in your question, but you should not use MD5 with crypt (see: Md5crypt Password scrambler is no longer considered safe by author).

Instead lets take a look into Blowfish hashing (CRYPT_BLOWFISH). It has a two digit cost parameter and always a salt length of 22 (if a shorter salt is given, it is padded with $s):

 60 :: 4 (`$2y$`) + 3 (cost `$`) + 22 (salt) + 1 (`$`) + 53 (hash)

For the Blowfish crypt hash-algorithm (bcrypt, OpenBSD Blowfish; Hashcat mode 3200) there is a fixed length of 60 then.

As you can see the output length depends on the used hash-algorithm, the length of the salt and even some hash specific parameters like the cost.

If you for example opt of SHA512 with 999 999 999 rounds and a 16 byte long salt, the output length is:

123 :: 3 (`$6$`) + 17 (`rounds=999999999$`) + 16 (salt) + 1 (`$`) + 86 (hash)

This example is a little bit extreme maybe, just to show the picture.

Other crypt related questions:

• Alternative to crypt()
• Comparing passwords with crypt() in PHP
• Can you convert the output of php crypt() to valid MD5?

crypt() relies on the available encryption methods. The most common method for PHP is MD5 which always return 32 characters. Other methods like DES and Blowfish return strings with variable length.

You'll need to know what method the crypt() function is using in your server.