Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75619 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70721 invoked from network); 16 Jul 2014 23:53:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Jul 2014 23:53:10 -0000 Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 209.85.220.46 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 209.85.220.46 mail-pa0-f46.google.com Received: from [209.85.220.46] ([209.85.220.46:54136] helo=mail-pa0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D5/56-37298-66017C35 for ; Wed, 16 Jul 2014 19:53:10 -0400 Received: by mail-pa0-f46.google.com with SMTP id lj1so2200225pab.33 for ; Wed, 16 Jul 2014 16:53:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ERRvQ+f6KDFA4+kzbnTEpoHQDND6Pcm1pNdqdW7ExRU=; b=U8Wgavk0dkQ3klWYICN/lWQ3irI/uPucm+z2efzLhW6ENiW/EFdYB/N9XQXdiF8Z/F 40IqIauhrJ3E3gq97Fxb9oT3UECcuS+8OXdVAFaZnp/yUUB2WvojdAK3wvWk8nCiqlIW EUKwtKJMbdbBEWUpuIEB9QW77/OaR2l3k9C6OHZy4bvhrm2UKgv48csJaimPMVi+oGK8 WAqd1cmVuWfmgzz3a8JcvZtDy1lRHnGsLPbphSlg0aoOfSpVzotSyfiAlGsHc3RwWFYS Khef+u8DUVyqWq8TOORADWjFHS/blyGZoypH/9ms0r3FMlT5KjZCotE8wl82O8/qU+V+ zCyw== X-Gm-Message-State: ALoCoQn0cr01J1qnPGhmmnBr/2bfsEC3HR4+FuHulgEy4gIZ7ZJVF5GnGKTZbedI6GX9YLLDV/8q MIME-Version: 1.0 X-Received: by 10.68.203.132 with SMTP id kq4mr33505149pbc.12.1405554787678; Wed, 16 Jul 2014 16:53:07 -0700 (PDT) Sender: php@golemon.com Received: by 10.70.21.35 with HTTP; Wed, 16 Jul 2014 16:53:07 -0700 (PDT) X-Originating-IP: [184.250.45.59] In-Reply-To: References: Date: Wed, 16 Jul 2014 16:53:07 -0700 X-Google-Sender-Auth: pD8TSTct39yK7KyKJmqEFGmQytM Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] crypt() BC issue From: pollita@php.net (Sara Golemon) On Tue, Jul 15, 2014 at 5:46 PM, Yasuo Ohgaki wrote: > crypt() has BC issue with older systems. > > https://bugs.php.net/bug.php?id=62372&edit=1 > > The reason rounds became 1000 from 10 is hardcoded lower limit for newer > PHPs. > Generally speaking, developer should never use less than 1000 rounds and > better to have > at least few thousands rounds or more, tens of thousands or more is > recommended. > > I would like to make this bug report 'wont fix', since migration is > possible. > > - Developer may use larger rounds and store updated hash when > user is authenticated with old PHP. > - Developer may ask users to reset password if password hash has > to fewer rounds than 1000 (i.e. outdated hash) with new PHP. > At the risk of perhaps missing the point, wouldn't it be more useful to encourage users in some way (perhaps through documentation only) to use password_hash()/password_verify() instead? It was designed with migration paths in mind. Apps which are currently using crypt() for their own password systems (the ones you would have migrate to crypt() + 1000 rounds) should be pointed at the right solution, not placated with an "okay for now, but may need to be migrated again later" route. As far as I'm aware, the only reason for not marking crypt() E_DEPRECATED right now is for compatibility with external systems, and as far as those go, changing a default won't effect anything. -Sara