Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117070 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 70153 invoked from network); 19 Feb 2022 23:44:46 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Feb 2022 23:44:46 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 94B79180381 for ; Sat, 19 Feb 2022 17:03:37 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 74.208.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.perfora.net (mout.perfora.net [74.208.4.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 19 Feb 2022 17:03:36 -0800 (PST) Received: from oxuslxaltgw00.schlund.de ([10.72.76.56]) by mrelay.perfora.net (mreueus003 [74.208.5.2]) with ESMTPSA (Nemesis) id 0M4G3R-1oCad90aHL-00rmoP for ; Sun, 20 Feb 2022 02:03:36 +0100 Date: Sat, 19 Feb 2022 19:03:35 -0600 (CST) To: "internals@lists.php.net" Message-ID: <5983302.2649742.1645319015766@email.ionos.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev38 X-Originating-Client: open-xchange-appsuite X-Provags-ID: V03:K1:Ng9J0FQdYJ6X3THt9xsDzv08Z/0oumu9ZgAIU/M9Y1bWs+SahHY WbtqGFEUJjxJiwxqHlU1qOv5tyOBAoUBNPTBlTvh963kZXHAkWsQ2qY+woCC+e58jMvFCV/ 03DWOdHwDB8EWlH8t438Js9BGjCi/LGJEvWY58ONDw+Xk6LBgvicDRkpntxIT0q9HL/38TP yeyBQ/fqwej/b6+zlCBMw== X-UI-Out-Filterresults: notjunk:1;V03:K0:ShgphWRpWVY=:qaICIk2A/8hTPBASfj/i5E gwvZzbYd1UkfUy0SxkS7enNn1A2GvqQWXBUZN2SlhH2D4zgJrlHKvJVfBTdSq9r0IWWciaNWP qDq+lfjOAFOZXUBeJeUaOqu57Eb6t4fMEAfTVzdwqZ2AYrRqP7RpaVXd1wDS4gCOJOvD0NVlR ZAkZY60P0DhbdrGKIyRUNAIy83m/aRrPonrxTdDAWBRfKciUZP3eKP4foeiS82SgOltGuP3bj zMXIbZySSnz9AjaJNbKZUglY8Znf8RyQ3T9FMolCR7b9sdNlQa6dCCExbem72iJWd1IWMyl5N 6fjEamqG8Rt1neDZUVTvB0GFmuWGKYWOGEk3emEY4QgtzOjUSpEjGWU3t/6FmlBsJ9K1louoA GYmDDqN2ZoGOrGbYlK+huGZc0mzjNwSoFWEJMJsKV3IACoHUzTUTx2Ahn+M9skbtdhSTRyqA8 7eHUiKLKrE1vePRLKajNKKUDPnGhpWfxH6hQalgWS+OcG17CHAa1G665z4BCmna+j0XYDlE5r 5IinezUYRH+p7HWyq+p8fY28gAQKWApwIdRUPHlIgkmP6/B0nsbzkK5rNZwtZy275Qf6poB8i WFLXBfXgon8nT9Xap7tOj3ZD4Re1O34DoauellE7JmvUnbS8J/Mx5PtCFIhPEJUePljbH2pXL ZmyiFGnfMDXzN7LwSN5xq5wksGhfKyl9RYvnkuWenKcTWZyjVIuvDrrdAqs8nHEj+RMI= Subject: RFC proposal to deprecate crypt() From: steve@tobtu.com crypt() should be deprecate because it can be used to create bad password hashes: * descrypt: 12 bits of salt is too small and it's ~100x faster to crack than md5crypt. Which itself is too fast for password crackers (see CVE-2012-3287). * Extended DES: 24 bits of salt is too small. * md5crypt is too fast for password crackers (see CVE-2012-3287). * sha256crypt and sha512crypt are dangerous (see CVE-2016-20013). Since password_verify() and password_needs_rehash() already supports hashes created with crypt(), the only thing needed to do is remove crypt().