Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75572
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50752 invoked from network); 16 Jul 2014 01:46:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2014 01:46:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:64990] helo=mail-lb0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 16/20-49478-069D5C35 for <internals@lists.php.net>; Tue, 15 Jul 2014 21:46:08 -0400
Received: by mail-lb0-f176.google.com with SMTP id w7so149541lbi.21
        for <internals@lists.php.net>; Tue, 15 Jul 2014 18:46:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=MBnJQIbXVOeB365XM7Jnd9jDV2dmVQxS3Njar16h/t0=;
        b=Llo6FRMu0gTpx/aYU+IP7ZyFOYBywW2DFuYTo4O7GWpIzwwxxgudrxG7NE1U+rHgYG
         IMzgXBXzaizXYvLmXgDRFbh6sohc3O27AX5hPamlotgF9LGsQyTIDozyRBVAB1dLNeF0
         tDTfK4NMjpDYkLxDuQv+NbJTnDY1zP0W6hO15bLhKh/Q+I6xMnAAUOseTEdg4Dqe7Znt
         GKSetOz9HHSI8t4mYeVRSrRTE1FJxfz8nqpQIY+LvG9bd0Nf/M1GRTjJwzeWb4q+KEAL
         ykElDL+vboC8xaUkyGn3JUrwVMCdzEo74j05iV7u59RuKKL10sG82xSTmJevqtAIJK77
         jnzg==
X-Received: by 10.152.120.195 with SMTP id le3mr22266698lab.16.1405475165151;
 Tue, 15 Jul 2014 18:46:05 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Tue, 15 Jul 2014 18:45:24 -0700 (PDT)
In-Reply-To: <61F23F13-DC8D-4C6B-A25C-E9B58B5EE602@ajf.me>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <61F23F13-DC8D-4C6B-A25C-E9B58B5EE602@ajf.me>
Date: Wed, 16 Jul 2014 10:45:24 +0900
X-Google-Sender-Auth: zoXWkhmj9oT1XLK5KQyAVOk7F28
Message-ID: <CAGa2bXZ63MXv-XXkP-+6kJUq_=_=co8k-UW-PjOhjSbTS2VXTg@mail.gmail.com>
To: Andrea Faulds <ajf@ajf.me>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01227abcf5a80204fe45afeb
Subject: Re: [PHP-DEV] crypt() BC issue
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e01227abcf5a80204fe45afeb
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Andrea,

On Wed, Jul 16, 2014 at 10:12 AM, Andrea Faulds <ajf@ajf.me> wrote:

> > - Developer may use larger rounds and store updated hash when
> >   user is authenticated with old PHP.
> > - Developer may ask users to reset password if password hash has
> >   to fewer rounds than 1000 (i.e. outdated hash) with new PHP.
>
> Wait, doesn=E2=80=99t that mean you=E2=80=99re unable to verify passwords=
 now?


It means old PHP users may need preparation for their apps to
migrate newer PHP.

If developer upgrades PHP blindly, they may see a lots of failed logins.

This change was done while ago, so it would not worth the effort to relax
the requirement now. IMHO.

We may add optional flag to relax the limitation, though.
I don't mind modifying crypt() or adding migration INI setting.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e01227abcf5a80204fe45afeb--