Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:126364 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 46EA41A00BC for ; Sun, 9 Feb 2025 21:13:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1739135420; bh=luMdJ45zQmeMu0T+UwSa1h0ySr+PmsmDIk1Lvch9ECQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=oQXOBS/L1DrXdyYohzGqkm8bFg2rNFbxasBcda7B2gJSPhovo2ygLD0vDcS8Rd5es XKdNp7a43NazUrd9MYjs9vNN9jhi94GpUGro6PGH6bzKVrEJi1A6oI9LglVxHl8A+e RN+4iHiBZkTkmaAvzJJKRRlGtu+/L3THr1vJqfGuSFu5yf7+qCAn1KeA5JZ2UqmAro i+3PBOyTWYgm9mt7gWD/vlCJR266w0yjTIRghK280gZtXS8X7KNA4sYT2rizQFqO2Z vM/8g58jdwm9GHfdx8daspiTKCuchjC3SG2zmpgLVwiFxPcw1VeoJQm+1738fSavBp +Vk30NpE+GKAw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 19A9D180059 for ; Sun, 9 Feb 2025 21:10:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 9 Feb 2025 21:10:19 +0000 (UTC) Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-308dfea77e4so14741001fa.1 for ; Sun, 09 Feb 2025 13:13:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739135582; x=1739740382; darn=lists.php.net; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=luMdJ45zQmeMu0T+UwSa1h0ySr+PmsmDIk1Lvch9ECQ=; b=IGnjaK/wOrKHta9JHRLvE3LE7FahI9XwgrC/lMHaYJ4yIElYUnusdzzLtG9zOpO4oD PT+Alu42+KV2AMe5Zashf+TGftVRgVjHRJbHSB4CEWjD4Wzc4EX+fF7DG0KKDcw2mwQq 4bo8ig0bsOVEWXH1jwc264zCb20qixFXEeokfcl0ypoWg+hAR/TNgBoQhjqvyp4BaItL +xMRPlYcUyjwcTXDuvLFiZrnNnWNyoh8euQRffFoOxDeAyVFCxpQOi4z6MINlK2Ubj+W jMfhTlwAd50RDBbNV08CoNZibZ9hSU5Xk8k8gz2g70w4x02MSxgC5lhagf3Y3Xd2323J BSQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739135582; x=1739740382; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=luMdJ45zQmeMu0T+UwSa1h0ySr+PmsmDIk1Lvch9ECQ=; b=EGdzh0loArgi3mUI1KLi91ja/T/XyGLhjKZfcsC27GsEIDMmvuJgLYtU7NQZ7VhRud 6Ptw+fKEKCwcNcEQWOQaxM5wQlCmt6J+zdv91rHNlQQylnVtJXeQLrNvCCza8/Ea94bb 2r+ZmHGVWQgOa6BWWCq3X7VV4YUCWSNdRzBdCfWXbVU18+a8ifhqEP2jsbdYGl4cR+Wf q6se6jiz0AKSRpQeVUIdq8IwhK3PcVE+1eFLig2apjA3Ch9TDz+UBeMDPSTI1iozSyxw bzVnUmMb/DGVswxIeaukCYXdEW6OnABlf4IskfGqK6uU43brXz2HMVZkc6xtZDgNttgX BaJg== X-Gm-Message-State: AOJu0YycVCCYV1WpAnxxVdwy5/BqF/IZblgX4xtgQ4r/YcfJpdMlaT22 ooKDk+Zm48rGfsPWlvxt1bc+FGooZdwS0Ki0SGTfYfwQhPNieU9SVwn4IoMECuJTMyB02acdp9j OqadtEGbsuKp382Zsfvr6mU0soog= X-Gm-Gg: ASbGncv/VL3B3wm2pyuoNZEMVMZLVT/fxLHvCSWnPIMLy+zpuvt5QC38K/CdnjUbHU+ o4ntmao6OOqENQYbUN5OK5TEBq17Awc80CeHRSmN2CvrFJA3H/G7PZ7KSyNBfty+5lJuydHst X-Google-Smtp-Source: AGHT+IGWeA6O53dRxwRFvC9INizCZyWFw9teO/xLgQ+aa7WbsaiI7K97CHLUqSi0y/pR33wgT80Z6QqU/BWZHH2Jsx0= X-Received: by 2002:a2e:bc14:0:b0:302:2cb3:bb1d with SMTP id 38308e7fff4ca-307e5cf5defmr22133001fa.12.1739135581930; Sun, 09 Feb 2025 13:13:01 -0800 (PST) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <4e41929c-fbd8-44f3-b72d-1b4e6526d001@app.fastmail.com> <634b8634-5845-40bb-8b7b-758e953db696@app.fastmail.com> In-Reply-To: <634b8634-5845-40bb-8b7b-758e953db696@app.fastmail.com> Date: Sun, 9 Feb 2025 21:12:49 +0000 X-Gm-Features: AWEUYZnZlUBS59AOdbNvEi8EePbOJBGB3AZCsTqqGg1lLylYsJEPAjvDFiQ1ZEk Message-ID: Subject: Re: [PHP-DEV] bcrypt warning on long passwords To: Rob Landers Cc: internals@lists.php.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: tekiela246@gmail.com (Kamil Tekiela) On Sun, 9 Feb 2025 at 20:58, Rob Landers wrote: > I fully agree with you, however it is also the default password hashing a= lgorithm. People may not read the docs and assume a generic implementation = that isn=E2=80=99t constrained. Since it is the default and has constraints= , we should probably at least warn people when they are using it wrong. The= y can then do whatever they want (ignore it, migrate to a different hashing= algorithm, turn it into an exception, or adjust their inputs). My point is that passing a password longer than 72 bytes to password_hash is not wrong. The bcrypt algorithm will work fine and just ignore the unnecessary bytes. It is perfectly normal to let users provide longer passwords and pass them to password_hash unrestricted. What is wrong is when people use password_hash for non-password-related stuff like in the linked article. The problem wasn't that password_hash didn't warn them, but that they prepended the password with non-password information. I expect an oven to cook a chicken, but if I first fill the oven with water, I'd be insane expecting it to work the same way.