Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53610 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53385 invoked from network); 28 Jun 2011 12:26:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jun 2011 12:26:49 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.211.66 config.schlueters.de Received: from [217.114.211.66] ([217.114.211.66:65475] helo=config.schlueters.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/F3-26207-788C90E4 for ; Tue, 28 Jun 2011 08:26:48 -0400 Received: from [192.168.2.230] (ppp-93-104-56-233.dynamic.mnet-online.de [93.104.56.233]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by config.schlueters.de (Postfix) with ESMTPSA id CD1E6741B0; Tue, 28 Jun 2011 14:26:44 +0200 (CEST) To: David =?ISO-8859-1?Q?Z=FClke?= Cc: Stas Malyshev , Pierre Joye , Rasmus Lerdorf , PHP internals In-Reply-To: <7F006373-3753-48A6-BCB8-564B1020CB04@bitextender.com> References: <4E06EF9A.4030603@lerdorf.com> <4E07A696.2090602@sugarcrm.com> <4E07C6D8.7040509@sugarcrm.com> <7F006373-3753-48A6-BCB8-564B1020CB04@bitextender.com> Content-Type: text/plain; charset="UTF-8" Date: Tue, 28 Jun 2011 14:26:42 +0200 Message-ID: <1309264002.2331.15.camel@guybrush> Mime-Version: 1.0 X-Mailer: Evolution 2.30.2 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] todo: crypt_blowfish issue From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Tue, 2011-06-28 at 12:19 +0200, David Zülke wrote: > On 27.06.2011, at 01:55, Stas Malyshev wrote: > > > However, it still has a chance somebody's data won't work after the > update if he had 8-bit data hashed with old crypt(). He would need > either to re-hash or to change prefix from $2a to $2x. > > IMO that's a fair trade-off; people could even implement this in their > app code by replacing "$2a" with "$2x" for a transitional period in > the hash if the comparison fails (and then simply re-hash the password > again with $2a so it's secure). I'm volunteering to write the > necessary code sample for the upgrading notes :p if people read it ... what might happen is that people test when upgrading (yay!) all tests and all work and then 1% of the users or so can't login anymore (with an european site for instance where 8bit characters might happen ...) johannes > David > >