Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75623
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 78515 invoked from network); 17 Jul 2014 01:07:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2014 01:07:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:39619] helo=mail-lb0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0E/B7-37298-CC127C35 for <internals@lists.php.net>; Wed, 16 Jul 2014 21:07:24 -0400
Received: by mail-lb0-f176.google.com with SMTP id u10so932790lbd.7
        for <internals@lists.php.net>; Wed, 16 Jul 2014 18:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=FrcxCSlPgl76lXCMd4B/vJqQ34pE9a+BvDHgzLnsf9w=;
        b=aJ5nxth+omq7M1fpoaW/Ky/i81354nhchK+dad9wgnFzEQb2Iyzc+MmwV2TvmCc2kl
         s3E4mRqaKCc1/x2hXPoX0hvd2DRLrpnBfiO4Tpd875EqwdyXHR8KgkyRGNo5xftGsXTQ
         6ngz3BwpicTk9JFEAdp5f8gmxwIQepjXcRZwXQC06g+/5SGrF9ozuXfV6sYxtZt6kaUl
         Ux0HcnAcv9RiQqi+Zydk4eabpMpIWbHtLn4gsmQFzzhm+z3V0Bj+wUaGtOoeXNGgoCak
         DkLtDGVnn4O0/abtkwoJ2ZuYLWlaIPklXZB4HLvibftixNOKm2KsaZtZUcKSXvJisY++
         vG9w==
X-Received: by 10.152.170.229 with SMTP id ap5mr29241058lac.12.1405559241235;
 Wed, 16 Jul 2014 18:07:21 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Wed, 16 Jul 2014 18:06:40 -0700 (PDT)
In-Reply-To: <CAESVnVqBxo0VCYM_4V4_KzrD1+-F-0ipumrr_a=mAwaYje10Og@mail.gmail.com>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <CAESVnVqBxo0VCYM_4V4_KzrD1+-F-0ipumrr_a=mAwaYje10Og@mail.gmail.com>
Date: Thu, 17 Jul 2014 10:06:40 +0900
X-Google-Sender-Auth: HotsYJvvk8ABsdb4NKYEcHeyJ9c
Message-ID: <CAGa2bXa48gEEcE_DWE27B3UHD0Yi12bFVZsx-9t_anHunkj5Dg@mail.gmail.com>
To: Sara Golemon <pollita@php.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0117607148e5dd04fe5943b1
Subject: Re: [PHP-DEV] crypt() BC issue
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0117607148e5dd04fe5943b1
Content-Type: text/plain; charset=UTF-8

Hi Sara,

On Thu, Jul 17, 2014 at 8:53 AM, Sara Golemon <pollita@php.net> wrote:

> At the risk of perhaps missing the point, wouldn't it be more useful
> to encourage users in some way (perhaps through documentation only) to
> use password_hash()/password_verify() instead?  It was designed with
> migration paths in mind.
>

I'll add them.


>  Apps which are currently using crypt() for their own password systems
> (the ones you would have migrate to crypt() + 1000 rounds) should be
> pointed at the right solution, not placated with an "okay for now, but
> may need to be migrated again later" route.
>
> As far as I'm aware, the only reason for not marking crypt()
> E_DEPRECATED right now is for compatibility with external systems, and
> as far as those go, changing a default won't effect anything.
>

Instead of relaxing crypt(), how about relax password_verify()?

<?php
$h='$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40';
$p='salasana';
$c=crypt($p,$h);
echo "HASH:  $h\n";
echo "CRYPT: $c\n";
if ($c == $h) {
  echo "MATCH OK\n";
} else {
  echo "NO MATCH\n";
}

var_dump(password_verify($p, $h)); // Fails since password_verify() is
crypt() wrapper

$h2='$6$rounds=1000$qNElXs2yMnL2.GNS$/q7trYkbKkoJernsumbObt2IysdXGRx/ytFaG0HBC97rHHhYRQvUcyEuRHP6h5yj8V.fH7XKEw5hjofVmYONw1';

var_dump(password_verify($p, $h2)); // Success since it has 1000 rounds
?>

Current password_verify() is using the same hard coded 1000 rounds
limitation, but
it could be relaxed. This would be the best solution.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0117607148e5dd04fe5943b1--