password encryption - Can someone clarify how the PHP function crypt() works? -

from understanding crypt(string, salt), takes salt, tacks onto front of encrypted version of string parameter.

$pw = "secret"; $format_and_salt = $2y$10$mwrmztkwmtc5zgjjzdi1nt; $hash = crypt($pw, $format_and_salt); 

$hash gets stored database column hashed_password $2y$10$mwrmztkwmtc5zgjjzdi1nofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

or broken down:

first part $format_and_salt: $2y$10$mwrmztkwmtc5zgjjzdi1n (sans 't')

+

second part encrypted $pw: ofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

if use crypt again validate password user submits $_post against stored hashed_password in database, output both cases doesn't seem reflect logic described above. i'm missing something.

so then:

$existing_hash = $admin['hashed_password'] ($admin being array derived query).

and

crypt($pw, $existing_hash) returns $2y$10$mwrmztkwmtc5zgjjzdi1nofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

which identical $hash above. works validate or invalidate users submission $_post, mentioned, if follow logic first crypt() above, expect:

first part $existing_hash: $2y$10$mwrmztkwmtc5zgjjzdi1nofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

+

second part encrypted $pw: ofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

which i'd expect combine as: $2y$10$mwrmztkwmtc5zgjjzdi1nofgsqugiu7ezetpe.uhjgqbmdrw2.vqmofgsqugiu7ezetpe.uhjgqbmdrw2.vqm

can explain why original crypt , crypt above used validate first 1 both have same output? in advance.

you're using blowfish encryption - first 22 characters of salt used. 1 of benefits of using blowfish.

from php manual:

blowfish hashing salt follows: "$2a$", "$2x$" or "$2y$", 2 digit cost parameter, "$", , 22 characters alphabet "./0-9a-za-z".

this means salt $existing_hash ends being $2y$10$mwrmztkwmtc5zgjjzdi1n - same previously.