Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117072 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 76562 invoked from network); 20 Feb 2022 00:38:57 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 20 Feb 2022 00:38:57 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E0D4D1804D9 for ; Sat, 19 Feb 2022 17:57:48 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 74.208.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.perfora.net (mout.perfora.net [74.208.4.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 19 Feb 2022 17:57:48 -0800 (PST) Received: from oxuslxaltgw00.schlund.de ([10.72.76.56]) by mrelay.perfora.net (mreueus003 [74.208.5.2]) with ESMTPSA (Nemesis) id 0MYhG8-1niCqH2iSA-00VOKe for ; Sun, 20 Feb 2022 02:57:47 +0100 Date: Sat, 19 Feb 2022 19:57:47 -0600 (CST) To: PHP internals Message-ID: <617145502.2652453.1645322267217@email.ionos.com> In-Reply-To: References: <5983302.2649742.1645319015766@email.ionos.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev38 X-Originating-Client: open-xchange-appsuite X-Provags-ID: V03:K1:mTqOjLhEm3juhGhSmJskYwJqQ608FzL0AbHQ2sv6QUY0Do1DPXE zkzBMTOq4uL9m8KhZoLvpDoCcSIiNfEufRPoSwIgrBzf6Gj2AzaKrHFeCGq3RnciG9iDAMD yedo78N4ZiOuGelkL0zVhrNJv41nW7KuPYStc6UFrzQocUUy5x+J3ReECYrZ1BY1CaEMYRB zSnIi7/+LQ8ElybLHhu3Q== X-UI-Out-Filterresults: notjunk:1;V03:K0:P/U4lHJDaOM=:rm/oIw+weJyjxy+HVBbg9L FztTrpHOCE8go/ptEv8snL2v472gayopRXdUUnhLJdUx25vlE0T/alOZRxiwi53QOJMNCbDfF IOtexFUM3VOGnmG4r73UA4W6RhydwzYTM050xPzFp9nxyNkZtN1jmzY6eQ/AUmfw9zvPhVbe2 /f0u9SwqZXW8OLikyve6mU2JCOhlD1RtLouklc08mA9+eeUzVB9RGtt66SO686uON7qppcCKc 14KNRQ3rBXN7qRQEKdyxBWzROYfngkEg0lFyeeawZ5k4BuI1Q6N3yTWU5+Rv+s3kgbBMlPNCm SM1P6+SzyaFlxztwhl2urCyvGSz1kOdRPe0JNqgtPi48yupR15XLjILTmn951O6d8/GSlGrEo Ws2dY5h+pbIx5xGAB2lcwbW3LSmjz9/Y74fOiIh/mX0k1HY9+yw5a3o8piEUuUlYQeAbZVUuW 4JUC+lygLVtlPNSUpDbLPRjvBMkgrQ4fcELY6/dUzatcZUwTvTV8wtq62N6IouHQQahlX0WuP 757bjZUNstpLE73hTpbdR9S5GXb7F6PvTl9voYnl+c/ZpraiJmq2ck1wmuSU/29+HjMaBB8Ci PAlOrv2GFfsHGgje/rEXC6z+ek/Ibn6JQneFJhEmp6Sf6+a/uXQ/Pm828jEyuzDR5GHf5kLwx lreMfqwHlYEK+7pL7kG9jGt/Prjp/w09zZhnEjAhINvH7lBxdX85RfCDijSnUd4NZZn0= Subject: Re: [PHP-DEV] RFC proposal to deprecate crypt() From: steve@tobtu.com hash() is for cryptographic hashes and checksums. crypt() only supports password hashing algorithms which should not be used as a cryptographic hash or checksum because they are purposefully slow. > On 02/19/2022 7:16 PM Vasilii Shpilchin wrote: > > > Hashes are not for passwords only. For instance, hashes usually in use in > sharding and to calculate checksums. I suggest to add a warning to the > documentation, something like: if you need to hash a password, use > password_hash(). > > Best regards, > Vasilii. > > On Sat, Feb 19, 2022, 8:03 PM wrote: > > > crypt() should be deprecate because it can be used to create bad password > > hashes: > > > > * descrypt: 12 bits of salt is too small and it's ~100x faster to crack > > than md5crypt. Which itself is too fast for password crackers (see > > CVE-2012-3287). > > * Extended DES: 24 bits of salt is too small. > > * md5crypt is too fast for password crackers (see CVE-2012-3287). > > * sha256crypt and sha512crypt are dangerous (see CVE-2016-20013). > > > > Since password_verify() and password_needs_rehash() already supports > > hashes created with crypt(), the only thing needed to do is remove crypt(). > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: https://www.php.net/unsub.php > > > >