Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117071 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 72029 invoked from network); 19 Feb 2022 23:57:30 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Feb 2022 23:57:30 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0B81C180381 for ; Sat, 19 Feb 2022 17:16:21 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 19 Feb 2022 17:16:17 -0800 (PST) Received: by mail-wr1-f50.google.com with SMTP id h6so20751436wrb.9 for ; Sat, 19 Feb 2022 17:16:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lFY03qAbcM9IbNgd0JflJXgVyRx5TxkreYswCSaBdow=; b=a8MsNPGrsfjS86pRfTEHhrUqA73ILHpmqjPGa44LhodoUuQAHSDxh2Tk1McpfkU+xT QrnoniyERmsaQiCZORi9cXp8dr5hx3rWye6FLA2X3h+WJMUrLen5p7Ws6psHPu8Qioqo SC+STvS2kipkCplYziAOQ7xy650zCNds8FYnMHM3e+9f/qMD4rit/xB1l2Khd8ciEIa6 SigRAqI6NYG/Pa/sV7NUCW2Nt/J6U5exMk5FdkzmBAggVqHtYGWNKGKirhI89ABqPf9h whKldP2QTGeoNS1X+R1K+DWiO1/bk5wowYlde+i92NYi9ChLOFuZ09eNktXct/j30NBz k7Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lFY03qAbcM9IbNgd0JflJXgVyRx5TxkreYswCSaBdow=; b=flSqQaIafY5Enwgw4A/BPvpsaTOVqBDsIasMkWeZRx093MTK0FKHthl3tcxGPQxQmm rBALLZrl3qPtmbt4wk2GyBELYQwzgYct3ro9g5+gUpe6f+hoOxsy/z0DWjeTl5dSt/p4 rrPHtCvLgCrg8alozAj+Fb5HKqIuwubspxI6pR92Ve+bp254H0lHPiGm7iMcgxv0ORZE EI4AwA8P1CKksshP7ea1TFDbqO95wpEk9Pn0rcs7g1t3HGU1sWl/UideBMMziNF1dhGD HWSBbgpz3UUHgBqkXz5gzx3K/ojQqvR1PWp3ridJP7horJ3XatAYSfCobaYb3/yRHIKc Ddrw== X-Gm-Message-State: AOAM533Kgp68hgHs3ll+BUTMQCLGi86LMo3iByQUqQ7A1k5kyRu8fudJ TJL+1+wz4YYimMM87k4CMMjTsdFv9XTYsPLgJkPIqmMF X-Google-Smtp-Source: ABdhPJw5kNBm6ZqZh5WMbKgTVV8w0hxYkaZcmjhKCVUxerrgGBRaZqu36GpTyXSuNR0G2HIOSStBOdkHJmWMJqmwzT8= X-Received: by 2002:adf:fcc7:0:b0:1e6:fa5:f61 with SMTP id f7-20020adffcc7000000b001e60fa50f61mr10390827wrs.240.1645319775872; Sat, 19 Feb 2022 17:16:15 -0800 (PST) MIME-Version: 1.0 References: <5983302.2649742.1645319015766@email.ionos.com> In-Reply-To: <5983302.2649742.1645319015766@email.ionos.com> Date: Sat, 19 Feb 2022 20:16:04 -0500 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="000000000000c86a2f05d868dc09" Subject: Re: [PHP-DEV] RFC proposal to deprecate crypt() From: vasilii.b.shpilchin@gmail.com (Vasilii Shpilchin) --000000000000c86a2f05d868dc09 Content-Type: text/plain; charset="UTF-8" Hashes are not for passwords only. For instance, hashes usually in use in sharding and to calculate checksums. I suggest to add a warning to the documentation, something like: if you need to hash a password, use password_hash(). Best regards, Vasilii. On Sat, Feb 19, 2022, 8:03 PM wrote: > crypt() should be deprecate because it can be used to create bad password > hashes: > > * descrypt: 12 bits of salt is too small and it's ~100x faster to crack > than md5crypt. Which itself is too fast for password crackers (see > CVE-2012-3287). > * Extended DES: 24 bits of salt is too small. > * md5crypt is too fast for password crackers (see CVE-2012-3287). > * sha256crypt and sha512crypt are dangerous (see CVE-2016-20013). > > Since password_verify() and password_needs_rehash() already supports > hashes created with crypt(), the only thing needed to do is remove crypt(). > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > > --000000000000c86a2f05d868dc09--