Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61899 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94684 invoked from network); 31 Jul 2012 20:02:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 20:02:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.176 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.212.176 mail-wi0-f176.google.com Received: from [209.85.212.176] ([209.85.212.176:33729] helo=mail-wi0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B3/D3-00342-CD938105 for ; Tue, 31 Jul 2012 16:02:37 -0400 Received: by wibhn17 with SMTP id hn17so2693800wib.11 for ; Tue, 31 Jul 2012 13:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=v2CGXXtw1JkJYK+77lACRHJicVDhmRW4anouuMsY6s0=; b=o6m92niBRAqs2FY97xrcG5Lj32hCbwDf/wpFk+OjQRF+rFcZnqqhSOwx0gxL39iG1e apy8G6vQCRqIacpgjP/DIPVT1/RMec5VgClisimo2xlOj6sgmeo61TuggkXOQUx5nbiO mbIaz3/Q07Bx6kJMKyVx+mFItB7vg+w0sh5gRTPLqc69I4sdzSIGteehU/lwLwdgaWB6 u4v7t9X83dZZ6yZkF84so0cEi0odgzKU8rK1RwZKtm9xcbXDDAnXwUgHPCTnd0727hlz 9qh8bKu3AvBQXNK7XoBosg9FL7vdfcXxAvYRBPCOLeYWEk4c0O/OQWaMEQF3TUkGnDDR 83GA== MIME-Version: 1.0 Received: by 10.180.102.136 with SMTP id fo8mr9996679wib.19.1343764954351; Tue, 31 Jul 2012 13:02:34 -0700 (PDT) Received: by 10.180.103.195 with HTTP; Tue, 31 Jul 2012 13:02:34 -0700 (PDT) In-Reply-To: References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> <009401cd6f28$b71c69c0$25553d40$@com> <00b701cd6f35$b2d621a0$188264e0$@com> Date: Tue, 31 Jul 2012 16:02:34 -0400 Message-ID: To: Peter Lind Cc: Jonathan Bond-Caron , internals@lists.php.net Content-Type: multipart/alternative; boundary=f46d044481d7c407d404c625a8ec Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: ircmaxell@gmail.com (Anthony Ferrara) --f46d044481d7c407d404c625a8ec Content-Type: text/plain; charset=ISO-8859-1 Peter, On Tue, Jul 31, 2012 at 3:46 PM, Peter Lind wrote: > On 31 July 2012 18:21, Anthony Ferrara wrote: > > *snip* > > > > > Also, be aware that BCrypt only uses the first 72 characters of the > > password field. So if you use a hex encoded sha512 output, a good deal of > > entropy would be lost (almost half of it)... > > > > Seeing as the hashing function will default (at first, at least) to > bcrypt, would it be possible to add a warning if it's given an input > longer than 72 chars? Preferably make the function context-aware so > you don't get the same warning if using sha512. Otherwise I predict > that someone will do: > > $hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT); > > Which obviously renders the hashing useless, as you'll be hashing the > same 72 chars over and over again. Which, currently, crypt() let's you > get away with without as much as a hiccup. > That's actually a very good idea. I'm curious though. Should we warning? Or should we sha512 hash (to bring down to 64 chars)... That's something I think would be worth reaching out to the crypt() maintainers for advice... --f46d044481d7c407d404c625a8ec--