Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61898
Return-Path: <peter.e.lind@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92605 invoked from network); 31 Jul 2012 19:47:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Jul 2012 19:47:16 -0000
Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: peter.e.lind@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:63634] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/63-00342-34638105 for <internals@lists.php.net>; Tue, 31 Jul 2012 15:47:16 -0400
Received: by qcmt36 with SMTP id t36so4726286qcm.29
        for <internals@lists.php.net>; Tue, 31 Jul 2012 12:47:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=loQ5CG5wCO+QX99wpQuow5vALBwLwmgmGi09mSMw6Lg=;
        b=mi0raF8vSiH+Ski0IFQ/Z+A/98akhzg1Tj8K4Dd7EmpY31iHddIQDfPAAaAV/KfAvO
         4pp4C3aSo5x1O3+lxNkEVYdcsCnIksNoV+rNfn8ZkVV3uAikuzKeUzXYl725rpY4VJfx
         +xrYKrPZVCp0LJMCZnFzdR3VpAqZNBFrXlY7QZ7t8uXcCaQNh51EOPeoN42HVbBcisOe
         mRosbe8MyO1A3yr83u1JsjETD+2umYQpC6xsplGtpgvygNtO+EboybkqyZHdfkPF33Mz
         5DGJwUCQfxiJ1y/zmttXIKWp6zwB0Te+vd7AcrQZ5wm/cCZkTGwJ91N9vtHNaronUnmQ
         GHcA==
Received: by 10.50.149.225 with SMTP id ud1mr3023661igb.74.1343764033109; Tue,
 31 Jul 2012 12:47:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.167.129 with HTTP; Tue, 31 Jul 2012 12:46:49 -0700 (PDT)
In-Reply-To: <CAAyV7nHr532Bi-K0k99wSSg5RgJYLGAdusMqCYt9pRRr6LqscA@mail.gmail.com>
References: <CAAyV7nFRT24rksh6iDWxstfQwJ4+KdEC7Zs6EC8wBtJ8Zorf7w@mail.gmail.com>
 <4FFF1831.8070902@sugarcrm.com> <CAAyV7nHi0k6S-zbi5=xCE8EmXpaEds9RoZTB8RPOeO8K_ZLY=w@mail.gmail.com>
 <005101cd6f18$9da38510$d8ea8f30$@com> <CAAyV7nGOiVD0=z+6nJKAhr6qu96GuU4+nBTTQiizcP9DxNRUUg@mail.gmail.com>
 <009401cd6f28$b71c69c0$25553d40$@com> <CAAyV7nH8w5j+AQYQqh0O5eA78tjrvEzAAvKkPNPNrRFhBvDxvQ@mail.gmail.com>
 <00b701cd6f35$b2d621a0$188264e0$@com> <CAAyV7nHr532Bi-K0k99wSSg5RgJYLGAdusMqCYt9pRRr6LqscA@mail.gmail.com>
Date: Tue, 31 Jul 2012 21:46:49 +0200
Message-ID: <CAEU6NAeQsnDr0uDKMLU3F9SE=dopaiELGozkPX8zOj9CsGFagQ@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Jonathan Bond-Caron <jbondc@openmv.com>, internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified
 password hashing functions
From: peter.e.lind@gmail.com (Peter Lind)

On 31 July 2012 18:21, Anthony Ferrara <ircmaxell@gmail.com> wrote:

*snip*

>
> Also, be aware that BCrypt only uses the first 72 characters of the
> password field. So if you use a hex encoded sha512 output, a good deal of
> entropy would be lost (almost half of it)...
>

Seeing as the hashing function will default (at first, at least) to
bcrypt, would it be possible to add a warning if it's given an input
longer than 72 chars? Preferably make the function context-aware so
you don't get the same warning if using sha512. Otherwise I predict
that someone will do:

$hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT);

Which obviously renders the hashing useless, as you'll be hashing the
same 72 chars over and over again. Which, currently, crypt() let's you
get away with without as much as a hiccup.

Regards
Peter

-- 
<hype>
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
</hype>