Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:53612
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57017 invoked from network); 28 Jun 2011 12:40:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jun 2011 12:40:26 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:42326] helo=mail-gy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/A4-26207-9BBC90E4 for <internals@lists.php.net>; Tue, 28 Jun 2011 08:40:26 -0400
Received: by gye5 with SMTP id 5so62802gye.29
        for <internals@lists.php.net>; Tue, 28 Jun 2011 05:40:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=pGDb7ZH4Oj4ocC4NXLQ+goW3UOYeYGUIsyxcZ0XvzG8=;
        b=nKcXmIjC1X+IqwRhg21b45vqNAYx6/fM73jwZCwFGe7nFSrkxZAbbnIdTgESZeAvP6
         2Lnv56DzIKBYymEIGCJ6Ao0KuAqETlDFr4vJ8vTINEfyc38YhOmNBs39+KEM9k6YGBN/
         s0X2rooMDAzkEsFTdY/EsndacCLdmoNo/Qb4A=
MIME-Version: 1.0
Received: by 10.151.4.13 with SMTP id g13mr849992ybi.398.1309264822168; Tue,
 28 Jun 2011 05:40:22 -0700 (PDT)
Received: by 10.146.84.17 with HTTP; Tue, 28 Jun 2011 05:40:22 -0700 (PDT)
In-Reply-To: <53677D08-D961-490B-B0FF-865F4915B6AB@bitextender.com>
References: <4E06EF9A.4030603@lerdorf.com>
	<4E07A696.2090602@sugarcrm.com>
	<BANLkTi=TwEJ=+PAuX3wS68_CWtsBcriScg@mail.gmail.com>
	<4E07C6D8.7040509@sugarcrm.com>
	<7F006373-3753-48A6-BCB8-564B1020CB04@bitextender.com>
	<1309264002.2331.15.camel@guybrush>
	<53677D08-D961-490B-B0FF-865F4915B6AB@bitextender.com>
Date: Tue, 28 Jun 2011 14:40:22 +0200
Message-ID: <BANLkTineN2QJFKBVHdADu0THP0rpU7SrJQ@mail.gmail.com>
To: =?UTF-8?B?RGF2aWQgWsO8bGtl?= <david.zuelke@bitextender.com>
Cc: =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>, 
	Stas Malyshev <smalyshev@sugarcrm.com>, Pierre Joye <pierre.php@gmail.com>, 
	Rasmus Lerdorf <rasmus@lerdorf.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] todo: crypt_blowfish issue
From: tyra3l@gmail.com (Ferenc Kovacs)

2011/6/28 David Z=C3=BClke <david.zuelke@bitextender.com>:
> On 28.06.2011, at 14:26, Johannes Schl=C3=BCter wrote:
>
>> On Tue, 2011-06-28 at 12:19 +0200, David Z=C3=BClke wrote:
>>
>>> On 27.06.2011, at 01:55, Stas Malyshev wrote:
>>>
>>>> However, it still has a chance somebody's data won't work after the
>>>> update if he had 8-bit data hashed with old crypt(). He would need
>>>> either to re-hash or to change prefix from $2a to $2x.
>>>
>>> IMO that's a fair trade-off; people could even implement this in their
>>> app code by replacing "$2a" with "$2x" for a transitional period in
>>> the hash if the comparison fails (and then simply re-hash the password
>>> again with $2a so it's secure). I'm volunteering to write the
>>> necessary code sample for the upgrading notes :p
>>
>> if people read it ... what might happen is that people test when
>> upgrading (yay!) all tests and all work and then 1% of the users or so
>> can't login anymore (with an european site for instance where 8bit
>> characters might happen ...)
>
> That might happen, but it isn't a critical issue I think since the change=
 does not produce unconsumable hashes or silently corrupt data in some othe=
r way. I think you're also overestimating the amount of people using bcrypt=
 for password storage; most people unfortunately still use SHA1s (with or w=
ithout a salt).
>
> As Stas said though, whatever the upstream implementation uses as a solut=
ion should be mirrored by PHP. The alternative would be to introduce a new =
hash algorithm code that only works in newer versions of PHP, which hurts p=
ortability (which is the major selling point of crypt()). Simply "breaking"=
 old hashes (there's not gonna be many of them out there) with the ability =
to easily and transparently fix it without user interaction in userland cod=
e seems like a much better idea to me.
>
> David
>
>
>

it would be good if we could communicate this change more than
mentioning in the changelog.

Tyrael