Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75570 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45763 invoked from network); 16 Jul 2014 00:47:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jul 2014 00:47:40 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com Received: from [209.85.217.173] ([209.85.217.173:53608] helo=mail-lb0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/5B-15121-AABC5C35 for ; Tue, 15 Jul 2014 20:47:39 -0400 Received: by mail-lb0-f173.google.com with SMTP id n15so121595lbi.18 for ; Tue, 15 Jul 2014 17:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=1+OGH/6s2gGPNt+v91FSi7nrnXkiNs89O9Fak+rH4V8=; b=YZPEBj6jM92o+63GSb4Xpk3JRc0oslUYOSsjKiveVTVNKtlWXw/pDdEp2P82/drMpw MqmUWHs6zXY9SdbkfiEtkdgN/SYQbV3IqfGyRNQx0in5irZtlABIMkyHB0ryH+sFSMYs IGnussfGU+uk1H5nHYN30dmiUeXOfR3Z+Rpsmk57vreVrfCZIMAFeZ4S96YivIwfYYpx rINMzwY8/UbfEF468uVeF86+wU7j9bFs23dYtHmxLuuh6Yq5t0a37jGNKpTOwQ/fW5Kq 9HQPpK7naJmBTbljAS+8rTssM8FCzAAIYIP+j3crCGcXe5RxJsRC3icSqpEzP/+2Q+Pd hisw== X-Received: by 10.152.29.72 with SMTP id i8mr18718664lah.38.1405471655126; Tue, 15 Jul 2014 17:47:35 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.128.202 with HTTP; Tue, 15 Jul 2014 17:46:54 -0700 (PDT) Date: Wed, 16 Jul 2014 09:46:54 +0900 X-Google-Sender-Auth: kNB8-lNZisojkjry87cSNjrQhSk Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0158c846beef2004fe44de21 Subject: crypt() BC issue From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0158c846beef2004fe44de21 Content-Type: text/plain; charset=UTF-8 Hi all, crypt() has BC issue with older systems. https://bugs.php.net/bug.php?id=62372&edit=1 The reason rounds became 1000 from 10 is hardcoded lower limit for newer PHPs. Generally speaking, developer should never use less than 1000 rounds and better to have at least few thousands rounds or more, tens of thousands or more is recommended. I would like to make this bug report 'wont fix', since migration is possible. - Developer may use larger rounds and store updated hash when user is authenticated with old PHP. - Developer may ask users to reset password if password hash has to fewer rounds than 1000 (i.e. outdated hash) with new PHP. Any comments? -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0158c846beef2004fe44de21--