Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69770
Return-Path: <krakjoe@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42569 invoked from network); 22 Oct 2013 17:21:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Oct 2013 17:21:13 -0000
X-Host-Fingerprint: 80.4.21.210 cpc22-asfd3-2-0-cust209.1-2.cable.virginm.net  
Received: from [80.4.21.210] ([80.4.21.210:11700] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9D/97-10840-804B6625 for <aharvey@php.net>; Tue, 22 Oct 2013 13:21:13 -0400
To: internals@lists.php.net,Adam Harvey <aharvey@php.net>
Message-ID: <5266B404.60806@php.net>
Date: Tue, 22 Oct 2013 18:21:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
References: <CAGa2bXaRkv2asU1bAwXTe=9s7o2njsqxG8W8gE9OtcG=8G4qqg@mail.gmail.com> <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> <CAGa2bXbkcn+hN5k=MeeOR3MaOn2kW_M_sKkcwfnOxhng8=gc8Q@mail.gmail.com> <CAGa2bXYONaoxFBbmDx_vXQCpWSxPfLUsQJDKoQ3OCo1gDTcBwQ@mail.gmail.com> <CAGa2bXYjLhaPUkDYWH+iRGeQuNvtCEwSYDn74uDNtyKzBWMs3w@mail.gmail.com> <52664C58.3020901@ajf.me> <CADajX4ACagw=F_sZnesP3uRj6s=+8kL0xahffMYBemckX4GMEg@mail.gmail.com>
In-Reply-To: <CADajX4ACagw=F_sZnesP3uRj6s=+8kL0xahffMYBemckX4GMEg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 80.4.21.210
Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt
From: krakjoe@php.net (Joe Watkins)

On 10/22/2013 06:11 PM, Adam Harvey wrote:
> On 22 October 2013 02:58, Andrea Faulds <ajf@ajf.me> wrote:
>> On 22/10/2013 07:10, Yasuo Ohgaki wrote:
>>>
>>> Any comments patch for this RFC?
>>> Better E_NOTICE message is welcome.
>>
>> I'm a native English speaker, how about "Calling crypt() without giving a
>> salt will not produce strong password hashes."?
>>
>> It doesn't necessarily say you will produce a strong hash with it (other
>> factors are at play), but it does say that you can't without it.
>>
>> Perhaps "secure" might be better than "strong".
>
> I think I'd prefer the wording to be a little stronger, since this is
> going to be shown when the user has actually done that. How about:
>
> "Generating an insecure weak hash as no salt was given: please ensure
> the salt parameter is specified and uses a strong hash type in order
> to generate a cryptographically secure hash"
>
> On the bright side, at least php_error_docref() will ensure there's a
> link to the crypt() manual page in most setups. Rereading that, we may
> actually want to be slightly more opinionated there about which hash
> types are good and which are bad (it's not at all obvious that the DES
> and MD5 types shouldn't generally be used).
>
> Adam
>
+1 that's good too ...

Wonder how well it will translate ??

Generating should be Generated, no ??

Cheers
Joe