Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69791
Return-Path: <ajf@ajf.me>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93499 invoked from network); 23 Oct 2013 00:35:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Oct 2013 00:35:15 -0000
Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ajf.me designates 198.187.29.241 as permitted sender)
X-PHP-List-Original-Sender: ajf@ajf.me
X-Host-Fingerprint: 198.187.29.241 imap3-1.ox.registrar-servers.com  
Received: from [198.187.29.241] ([198.187.29.241:43070] helo=imap3-1.ox.registrar-servers.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5B/71-10840-2C917625 for <internals@lists.php.net>; Tue, 22 Oct 2013 20:35:14 -0400
Received: from localhost (localhost [127.0.0.1])
	by oxmail.registrar-servers.com (Postfix) with ESMTP id 8AED72A007F
	for <internals@lists.php.net>; Tue, 22 Oct 2013 20:35:11 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at imap3.ox.registrar-servers.com
Received: from oxmail.registrar-servers.com ([127.0.0.1])
	by localhost (imap3.ox.registrar-servers.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id QCFIsRHhf2Sa for <internals@lists.php.net>;
	Tue, 22 Oct 2013 20:35:11 -0400 (EDT)
Received: from [192.168.0.200] (unknown [94.3.245.95])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by oxmail.registrar-servers.com (Postfix) with ESMTPSA id 30CBC2A007B
	for <internals@lists.php.net>; Tue, 22 Oct 2013 20:35:10 -0400 (EDT)
Message-ID: <526719B6.4020408@ajf.me>
Date: Wed, 23 Oct 2013 01:35:02 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Thunderbird/25.0
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
References: <CAGa2bXaRkv2asU1bAwXTe=9s7o2njsqxG8W8gE9OtcG=8G4qqg@mail.gmail.com> <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> <CAGa2bXbkcn+hN5k=MeeOR3MaOn2kW_M_sKkcwfnOxhng8=gc8Q@mail.gmail.com> <CAGa2bXYONaoxFBbmDx_vXQCpWSxPfLUsQJDKoQ3OCo1gDTcBwQ@mail.gmail.com> <CAGa2bXYjLhaPUkDYWH+iRGeQuNvtCEwSYDn74uDNtyKzBWMs3w@mail.gmail.com> <52664C58.3020901@ajf.me> <CADajX4ACagw=F_sZnesP3uRj6s=+8kL0xahffMYBemckX4GMEg@mail.gmail.com> <CAGa2bXYttfGK5jxiNN6Hu0cenrLdp9r3P-1ApK8na=7zW1pteQ@mail.gmail.com>
In-Reply-To: <CAGa2bXYttfGK5jxiNN6Hu0cenrLdp9r3P-1ApK8na=7zW1pteQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt
From: ajf@ajf.me (Andrea Faulds)

On 23/10/2013 01:26, Yasuo Ohgaki wrote:
> On Wed, Oct 23, 2013 at 2:11 AM, Adam Harvey <aharvey@php.net
> <mailto:aharvey@php.net>> wrote:
>
>     "Generating an insecure weak hash as no salt was given: please ensure
>     the salt parameter is specified and uses a strong hash type in order
>     to generate a cryptographically secure hash"
>
>
> I guess this would be one of the longest error message, but it does not
> matter.
>
> If there isn't better message, I'll commit with this message in a few days.
>

How about "No salt parameter was specified. You must use a randomly 
generated salt and a strong hash function to produce a secure hash."

It doesn't emphasise the "strong" and "weak" as much, but I feel it gets 
the message acrosss well nonetheless.

-- 
Andrea Faulds
http://ajf.me/