Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:54004 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 59396 invoked from network); 17 Jul 2011 23:23:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2011 23:23:45 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.42 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 74.125.83.42 mail-gw0-f42.google.com Received: from [74.125.83.42] ([74.125.83.42:55215] helo=mail-gw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 99/73-23384-FFE632E4 for ; Sun, 17 Jul 2011 19:23:43 -0400 Received: by gwb17 with SMTP id 17so1188237gwb.29 for ; Sun, 17 Jul 2011 16:23:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=hQuWcTp20WFbP7Du6kq8/mHCoUYRI3nkLyMcfhkV0LE=; b=aFBZeYz8euuEfajDJX1tyhe+YMOgVX8eMbWrwYUsCoA8Lf4qouBGEc1wXnfYXGDaPp BeZh0Tet3DS9rtKnnAJHPl7A7WDPFrLNFTNofdM57BujqtUHrCE7WCeW1C7n92h8+wcp VUr2Xhuc1BiVnNJU/bennVzaUjQgadkv/qNLE= MIME-Version: 1.0 Received: by 10.236.77.42 with SMTP id c30mr6855637yhe.248.1310945020172; Sun, 17 Jul 2011 16:23:40 -0700 (PDT) Received: by 10.147.137.11 with HTTP; Sun, 17 Jul 2011 16:23:40 -0700 (PDT) In-Reply-To: <20110717225127.GA19832@openwall.com> References: <20110717182616.GA17288@openwall.com> <20110717222915.GA14497@joeysmith.com> <20110717225127.GA19832@openwall.com> Date: Mon, 18 Jul 2011 01:23:40 +0200 Message-ID: To: Solar Designer , Ilia Alshanetsky Cc: Joey Smith , PHP Internals List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [PATCH] crypt_blowfish 1.2 From: pierre.php@gmail.com (Pierre Joye) hi! Thanks for the patches! Very welcome :) On Mon, Jul 18, 2011 at 12:51 AM, Solar Designer wrote= : > Yes, but this is not terribly important. =A0In practice, "$2a$" is almost > the same as "$2y$". =A0For passwords that don't contain the '\xff' > character (which is not even valid in UTF-8 sequences), these two are > 100% equivalent. =A0For realistic passwords that do contain this > character, I had one "hit" in 150,000+ such passwords tested: > > http://www.openwall.com/lists/oss-security/2011/07/08/1 > > So this is negligible, and even for the affected passwords (where "$2y$" > and "$2a$" hashes differ by more than just the prefix) this only matters > if those password hashes are ever migrated to other systems (non-PHP). > > The reason why I went for this is that I consider the security advantage > of avoiding easy collisions with the buggy hashes non-negligible. Makes full sense. >> perhaps a note mentioning the '$2x$' prefix for "transitioning users >> with passwords that contain non-ASCII characters with the 8th bit set". > > We need to be careful here such that no one starts using this for newly > set passwords. =A0This bit of documentation should be available to those > few who actually need it (I expect that most sites won't care), but > maybe it should not be on the function crypt() documentation page. > >> Obviously, any documentation change in this regard will need to be >> pending on the version these patches get rolled into... > > Yes - need to release PHP versions with this code first. I think we should push this patch to 5.3 now as well, so it will be in 5.3.7, it is important enough. Cheers, --=20 Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org