Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117109
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28141 invoked from network); 21 Feb 2022 16:32:49 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Feb 2022 16:32:49 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B90F3180544
	for <internals@lists.php.net>; Mon, 21 Feb 2022 09:52:04 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 21 Feb 2022 09:52:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1645465922;
	bh=0Sq7l8j6BNPYSdhCRndnRTRxGBH1ND0iZ1X68VDbOgI=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=KgM6RtHGh4Z77Qf2U2B92u/Zs/zysy8OeZHtPhHDmmshBe5H+nLxTQShkOC7V1hyw
	 Rcb2JvQkYMch1HQ0CI6SJRXlaJ5oORw64ttRFyFwCSBTCjnhvg92E7SvO2pChzGEe/
	 E1TnNxVaIwVieqCQK4Hf7MOYnypwX/hXz6B24muJPEtHGaOcJxyna5zp0wlOokGA4m
	 N54xiiAALFi8n8BBqsv0O/Pj3vzTU1O5TEqo8tgm9LPAf0x5oTxxN/rEmz+wfwpoHX
	 henaBnulSGAAb7vjHeeg34r9NTvzC8Ww5JVQqPhcLm21h+Ffe7Mih4+/yW//q23h1E
	 dhJPlNuI30rZg==
Message-ID: <b948f796-21e7-fa9a-351b-ea9214aea93d@bastelstu.be>
Date: Mon, 21 Feb 2022 18:51:59 +0100
MIME-Version: 1.0
Content-Language: en-US
To: steve@tobtu.com, Marco Pivetta <ocramius@gmail.com>,
 Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals List <internals@lists.php.net>
References: <5983302.2649742.1645319015766@email.ionos.com>
 <6238bf00-011e-35cc-d84b-4082b4f05099@gmail.com>
 <497325306.1564942.1645357444018@email.ionos.com>
 <3c6871ca-589d-6812-800c-a3b9ad6bb575@bastelstu.be>
 <CADyq6sLWRfD2DJwRNWmX=s7rbA2Rs+Agu9tsW9mLQbCeJ27vwA@mail.gmail.com>
 <40015164-ac0c-336d-c7d6-c4766d6caff8@gmail.com>
 <CADyq6s+e_Jkwg1UoGS_e23=6FciRB2-d8q_NxkREMt45f=vs8g@mail.gmail.com>
 <b52c5f52-3295-7792-1897-c170bb132331@bastelstu.be>
 <1846031176.2904638.1645461835527@email.ionos.com>
In-Reply-To: <1846031176.2904638.1645461835527@email.ionos.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] RFC proposal to deprecate crypt()
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi Steve,

I wanted to stay away from this thread, as I believe I've made my 
opinion clear and there's not much more signal for me to add, but as 
you've replied to me directly:

On 2/21/22 17:43, steve@tobtu.com wrote:
> If crypt() is removed, you can still use password_verify() to verify all the password hashes created by crypt().

Yes, this is true. It also appears to be tested by 
ext/standard/tests/password/password_verify.phpt for the DES style hashes.

However it does not appear to be documented at password_verify() 
(https://www.php.net/manual/en/function.password-verify.php), so that 
likely should be adjusted first.

> The only thing you lose is creating those bad password hashes. Which can be done in userland because most people aren't changing their passwords daily. So it will run that slow userland code infrequently. This will not help the nested bcrypt example. Well besides the last bcrypt call can be password_verify():
> 

Please ignore that "nested BCrypt" example for a moment, that wasn't my 
main point, it's a legacy implementation (for good reason), any new 
hashes in that software are regular BCrypt hashes based on 
password_hash() and any old passwords are rehashed on login. If that 
legacy hashing breaks, then so-be-it [1].

The larger point I've attempted to make is that crypt() is the lowest 
common denominator for interoperability with other programming languages 
and software (specifically libc), as also acknowledged by the Rowan and 
Jakub.

Yes, in the ideal world everyone would use just BCrypt (or Argon2 [2]), 
but unfortunately that isn't a reality. Removing the functionality from 
PHP is not likely to achieve this goal faster, as users will either not 
upgrade PHP or defer to a userland implementation.

While the latter certainly is an option, implementing a hashing 
algorithm definitely is something that is highly non-trivial to do in 
userland. If the deprecation of crypt() leads to a dozen (semi-)broken 
and insecure userland implementations to keep compatibility with 
whatever software that uses crypt() then I consider that a net-negative 
as well.

So:

- Improving the docs page for crypt(): Yes please.
- Deprecating CRYPT_STD_DES which is easy to accidentally use by not 
passing a valid algorithm indicator: That's also a yes.
- Rejecting long inputs (e.g. > 512 Bytes) for CRYPT_SHA256 / 
CRYPT_SHA512: Sure, that also makes sense.
- Completely removing support for crypt(): I'd rather not, because see 
above.

Best regards
Tim Düsterhus

[1] Even if I'd prefer it didn't as users sometimes come back to their 
account after several years. They still know their passwords, but in 
many cases their email address no longer is valid, thus they can't reset 
their password.

[2] Which incidentally might not be more secure that BCrypt for common 
configurations: https://twitter.com/TerahashCorp/status/1155129705034653698