Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69768 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40395 invoked from network); 22 Oct 2013 17:11:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Oct 2013 17:11:24 -0000 Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.223.174 as permitted sender) X-PHP-List-Original-Sender: adam@adamharvey.name X-Host-Fingerprint: 209.85.223.174 mail-ie0-f174.google.com Received: from [209.85.223.174] ([209.85.223.174:41754] helo=mail-ie0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/27-10840-AB1B6625 for ; Tue, 22 Oct 2013 13:11:23 -0400 Received: by mail-ie0-f174.google.com with SMTP id qd12so2261628ieb.5 for ; Tue, 22 Oct 2013 10:11:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adamharvey.name; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=8ZCdd/9O21bfDGJgjjbRUzph9npXm4gBO09o3OBgxhM=; b=VGir3CNLmIcRrG2e8c3wmQBbvnNVWM+PUW6mO1zICLAwe92XK4rZ3q0TQ3qV0S6/Ij MRJEck/bkKeX3Q923W0uvTR2Hx3iNE4zpLXG8GCyvhRESQ2wFG6ddggRNOcZQtT+dRrR 3OA+YClL/URVzspmKLer9RHQvscyVqjoIq8Rs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=8ZCdd/9O21bfDGJgjjbRUzph9npXm4gBO09o3OBgxhM=; b=Y0KKsJLHLAlgp+WRyVCSNePErZ8RDd1OYK56xTbMqWPMhkh0lFVBkLaUmN7AsGBUan mPyaB5O/qwZh6wjL9xoMBSjodYZPPYMGJ/7X4iVsIbRPH6WOpuretvfSGB/eGBH7IWxS L8TUAyJO8Ur6H8X9h2RtJG0RWYk3a/C8jaPiX3XoBKj7xwyuiHdbvmji4j9+Vsk9v8VV ill+GCBNLt2GS/lr+rTy+dVPfYnP6CgdA9zdLcglq1GF37EUuGPEG3FCgdvZQQ/E6P/Q CDYwntL4zHR0oby5QA0FtiH++mU/mSTZIq2nqkw5aX47t0rNcKlFTwtj18nSxprirHJF tLtg== X-Gm-Message-State: ALoCoQnscbaWUzmB6zHW9xHjwZqSrxTXyCqfd6DWDK/CNYLyzdyD1p8A4jaMsqJzaagT75LZRiiw X-Received: by 10.50.238.196 with SMTP id vm4mr14178680igc.43.1382461880095; Tue, 22 Oct 2013 10:11:20 -0700 (PDT) MIME-Version: 1.0 Sender: adam@adamharvey.name Received: by 10.42.206.208 with HTTP; Tue, 22 Oct 2013 10:11:00 -0700 (PDT) In-Reply-To: <52664C58.3020901@ajf.me> References: <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> <52664C58.3020901@ajf.me> Date: Tue, 22 Oct 2013 10:11:00 -0700 X-Google-Sender-Auth: rvO7GApYovSGUPkRCoxndUZPFHA Message-ID: To: Andrea Faulds , Yasuo Ohgaki Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt From: aharvey@php.net (Adam Harvey) On 22 October 2013 02:58, Andrea Faulds wrote: > On 22/10/2013 07:10, Yasuo Ohgaki wrote: >> >> Any comments patch for this RFC? >> Better E_NOTICE message is welcome. > > I'm a native English speaker, how about "Calling crypt() without giving a > salt will not produce strong password hashes."? > > It doesn't necessarily say you will produce a strong hash with it (other > factors are at play), but it does say that you can't without it. > > Perhaps "secure" might be better than "strong". I think I'd prefer the wording to be a little stronger, since this is going to be shown when the user has actually done that. How about: "Generating an insecure weak hash as no salt was given: please ensure the salt parameter is specified and uses a strong hash type in order to generate a cryptographically secure hash" On the bright side, at least php_error_docref() will ensure there's a link to the crypt() manual page in most setups. Rereading that, we may actually want to be slightly more opinionated there about which hash types are good and which are bad (it's not at all obvious that the DES and MD5 types shouldn't generally be used). Adam