Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117107
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23940 invoked from network); 21 Feb 2022 16:16:30 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Feb 2022 16:16:30 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 82AB9180549
	for <internals@lists.php.net>; Mon, 21 Feb 2022 09:35:46 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 21 Feb 2022 09:35:46 -0800 (PST)
Received: by mail-lf1-f48.google.com with SMTP id bu29so20100924lfb.0
        for <internals@lists.php.net>; Mon, 21 Feb 2022 09:35:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=7DT9wgFzD+IP0gK1ZAYhcGcW5w/GQds/mh3aexSmuG8=;
        b=f62mPpVGP5mELxysPxtPuMNTiMo13bXPZuH2bNBf5oaJe5vHn95ruU370MwR9VKTsb
         tjRgF2/6i110uK6I+tU2cvzLSjP0ywtxjYlSrFdRXm81tUk4ZZj+Tf7C9Jfmz8Fjkg9x
         26Cq29e12X/oNi+BVE7j3KmPrSNR8pYH2pxk0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=7DT9wgFzD+IP0gK1ZAYhcGcW5w/GQds/mh3aexSmuG8=;
        b=cSULnN+5o9aR4S7Sicg8tfZ87keBVv3j8wCHJGx4kGI5km3KhIN5/oeSP0lqXK5un2
         64HGVV2phT5d1KLQDqO++EQtgJjVBbZ23f0y/edx2/9r8KSs+45dylXScG0eAOGyB8ht
         6WYQ7rMMtt6aDv+gpF0HxikudFTHqqI5jklNiWCaNRqJglmEdPB2VHmRHuzoXQ2o4JhR
         FZn0VYlpjqnbmRdXkCFNyI9cN6a+etuIfbJcHbBcSUiUYrZ4HENX1u68KdeLWa37p6pm
         SUsI/MirO8ANG/wv3PS65BsPGy8Qlfje7IskGn390Wu4zMLcE/6pvnz9n9L+TD+sGldK
         xFBw==
X-Gm-Message-State: AOAM533uyI2f5PzJbsH8EB33jt2ZFeRyBaHA1xqFzFJFnX6TqnZpm1i1
	6jpQCpME5tjlQ8mOVK8ZrATsqHD34BsPZZKFKczKQA==
X-Google-Smtp-Source: ABdhPJxxEqQI9ZLwBqECzS07xlJa9Gx/pLMeXWsueGgrcQT613nzlk/3rIxUIbhDw1S8yhYde0o/vn9Bk7/zJAO22Cg=
X-Received: by 2002:a05:6512:2191:b0:443:2ef2:80a6 with SMTP id
 b17-20020a056512219100b004432ef280a6mr14515558lft.455.1645464944556; Mon, 21
 Feb 2022 09:35:44 -0800 (PST)
MIME-Version: 1.0
References: <5983302.2649742.1645319015766@email.ionos.com>
 <6238bf00-011e-35cc-d84b-4082b4f05099@gmail.com> <497325306.1564942.1645357444018@email.ionos.com>
 <3c6871ca-589d-6812-800c-a3b9ad6bb575@bastelstu.be> <CADyq6sLWRfD2DJwRNWmX=s7rbA2Rs+Agu9tsW9mLQbCeJ27vwA@mail.gmail.com>
 <40015164-ac0c-336d-c7d6-c4766d6caff8@gmail.com> <CADyq6s+e_Jkwg1UoGS_e23=6FciRB2-d8q_NxkREMt45f=vs8g@mail.gmail.com>
 <b52c5f52-3295-7792-1897-c170bb132331@bastelstu.be> <1846031176.2904638.1645461835527@email.ionos.com>
In-Reply-To: <1846031176.2904638.1645461835527@email.ionos.com>
Date: Mon, 21 Feb 2022 17:35:33 +0000
Message-ID: <CAFv4g+ERLkttfdJKyTcv6pRF8OQXtF+5sDzvoUEZYndVPjp7Zg@mail.gmail.com>
To: steve@tobtu.com
Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>, 
	Marco Pivetta <ocramius@gmail.com>, Stanislav Malyshev <smalyshev@gmail.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000082cf0b05d88aa91b"
Subject: Re: [PHP-DEV] RFC proposal to deprecate crypt()
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000082cf0b05d88aa91b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, 21 Feb 2022 at 16:44, <steve@tobtu.com> wrote:

> If crypt() is removed [...] The only thing you lose is creating those bad
> password hashes.



That's not exactly fair, as noted by Tim, `crypt()` can be used for other
software (e.g. Dovecot); and by Hans for modifying `/etc/shadow`.

While I would warn most developers away from using crypt(), because it is
dangerous, it can still be useful (dare I say it, md5, terrible idea, but
sometimes you need it when integrating with other systems).

Craig


On Mon, 21 Feb 2022 at 10:11, Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:

> crypt() allows one to interoperate with non-PHP-software that does not
> support BCrypt, but supports the SHA-X variants. I already mentioned
> Dovecot as an example.


On Mon, 21 Feb 2022 at 12:04, Hans Henrik Bergan <divinity76@gmail.com>
wrote:

> script modifying a linux system's /etc/passwd / /etc/shadow using crypt()
> because password_hash() couldn't create passwd/shadow-compatible hashes
> while crypt() could

--00000000000082cf0b05d88aa91b--