Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61900 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96388 invoked from network); 31 Jul 2012 20:20:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 20:20:38 -0000 Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: peter.e.lind@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:53267] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E1/34-00342-51E38105 for ; Tue, 31 Jul 2012 16:20:38 -0400 Received: by yhoo21 with SMTP id o21so7467801yho.29 for ; Tue, 31 Jul 2012 13:20:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=qptskP0Pz6XR3BegAo7QtaYbLd4noI0FnzMt+2Q8Paw=; b=niAJkvUN/bMto5oIkGlnZi6WUv22Ujxm5eLXPXhGIFToppN1aKnVGsNXRMADmVXjDc V3gGEywXyXVmt0SzYU2a6gHv6ClkmAAaUp8cuy/mjIh8Lo2fWLzXZMQ9B3L/JB4T9FcU P66sFhX1avLbod8G+aRO6aM5VnPOvV3DdX+YrM1J48YGTXaRGMOsEQUneyy+x+HGmaFd JCucxu1Mm8yyiARFmCk2rPXJAuhvAszx37iixqq0ekVdSMaI10xVHrapHH8hv9sBlt+b 8g3dRJdf4NpFvUtSOlijlB3d58pbzLDP+U1SCR6WuKVq9hTl1y1bs7ToRKUmYTeSZzqu EH9Q== Received: by 10.50.170.68 with SMTP id ak4mr1818694igc.74.1343766034201; Tue, 31 Jul 2012 13:20:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.167.129 with HTTP; Tue, 31 Jul 2012 13:20:13 -0700 (PDT) In-Reply-To: References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> <009401cd6f28$b71c69c0$25553d40$@com> <00b701cd6f35$b2d621a0$188264e0$@com> Date: Tue, 31 Jul 2012 22:20:13 +0200 Message-ID: To: Anthony Ferrara Cc: internals@lists.php.net Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: peter.e.lind@gmail.com (Peter Lind) On 31 July 2012 22:02, Anthony Ferrara wrote: > Peter, > > On Tue, Jul 31, 2012 at 3:46 PM, Peter Lind wrote: >> >> On 31 July 2012 18:21, Anthony Ferrara wrote: >> >> *snip* >> >> > >> > Also, be aware that BCrypt only uses the first 72 characters of the >> > password field. So if you use a hex encoded sha512 output, a good deal >> > of >> > entropy would be lost (almost half of it)... >> > >> >> Seeing as the hashing function will default (at first, at least) to >> bcrypt, would it be possible to add a warning if it's given an input >> longer than 72 chars? Preferably make the function context-aware so >> you don't get the same warning if using sha512. Otherwise I predict >> that someone will do: >> >> $hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT); >> >> Which obviously renders the hashing useless, as you'll be hashing the >> same 72 chars over and over again. Which, currently, crypt() let's you >> get away with without as much as a hiccup. > > > That's actually a very good idea. > > I'm curious though. Should we warning? Or should we sha512 hash (to bring > down to 64 chars)... That's something I think would be worth reaching out > to the crypt() maintainers for advice... I'd be wary of not doing what people actually expect - i.e. hash the provided string with the specified algo. Better to educate the users, I'd say, through a warning. Anyway, as you said, would be good to get other opinions on this. Regards Peter -- WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15