Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75625 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83196 invoked from network); 17 Jul 2014 02:09:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2014 02:09:17 -0000 Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.180 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.220.180 mail-vc0-f180.google.com Received: from [209.85.220.180] ([209.85.220.180:65162] helo=mail-vc0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F2/88-37298-C4037C35 for ; Wed, 16 Jul 2014 22:09:16 -0400 Received: by mail-vc0-f180.google.com with SMTP id ij19so3378013vcb.11 for ; Wed, 16 Jul 2014 19:09:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=E923KnecG+9djHRCmHtlAEbBAyquC1oQI5oFccr3rBw=; b=A1RfnLLlMzj2W29I5u24upWvaZR8NeJ+Qhi41xc4eTAmIC9KtEnuT3NNqydyfuwOif LvhF+xwUqJVRoN6lcABeaobANx85/14kRh8nMD/mgLifx4sBf4n82swiPCAFMh7uN+iT iUmHx1xiLqvk75YqdIJHdPjsAQtGUleA/4TM3s5e/+qG6UwuZE0Rv40JxAKH8lpc5boY 7oJZ5JcSEuZSWGlujod8dWoISBDaVNolBGIDgfhqwvkVCaKVu5/56PPdgO0YK0Hc0QiY HTVtofHPYm+AN6EAtoqndskjZsnuIuau/m7uSNNdqbAbDZwJf7GL1lnXwXfU01F0ycP9 0/Mw== MIME-Version: 1.0 X-Received: by 10.220.192.129 with SMTP id dq1mr13227142vcb.57.1405562952629; Wed, 16 Jul 2014 19:09:12 -0700 (PDT) Received: by 10.58.89.170 with HTTP; Wed, 16 Jul 2014 19:09:12 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Jul 2014 10:09:12 +0800 Message-ID: To: Yasuo Ohgaki Cc: Sara Golemon , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01293f2c80467304fe5a201b Subject: Re: [PHP-DEV] crypt() BC issue From: tjerk.meesters@gmail.com (Tjerk Meesters) --089e01293f2c80467304fe5a201b Content-Type: text/plain; charset=UTF-8 Hi, On Thu, Jul 17, 2014 at 9:06 AM, Yasuo Ohgaki wrote: > Hi Sara, > > On Thu, Jul 17, 2014 at 8:53 AM, Sara Golemon wrote: > > > At the risk of perhaps missing the point, wouldn't it be more useful > > to encourage users in some way (perhaps through documentation only) to > > use password_hash()/password_verify() instead? It was designed with > > migration paths in mind. > > > > I'll add them. > > > > Apps which are currently using crypt() for their own password systems > > (the ones you would have migrate to crypt() + 1000 rounds) should be > > pointed at the right solution, not placated with an "okay for now, but > > may need to be migrated again later" route. > > > > As far as I'm aware, the only reason for not marking crypt() > > E_DEPRECATED right now is for compatibility with external systems, and > > as far as those go, changing a default won't effect anything. > > > > Instead of relaxing crypt(), how about relax password_verify()? > > > $h='$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40'; > $p='salasana'; > $c=crypt($p,$h); > echo "HASH: $h\n"; > echo "CRYPT: $c\n"; > if ($c == $h) { > echo "MATCH OK\n"; > } else { > echo "NO MATCH\n"; > } > > var_dump(password_verify($p, $h)); // Fails since password_verify() is > crypt() wrapper > > > $h2='$6$rounds=1000$qNElXs2yMnL2.GNS$/q7trYkbKkoJernsumbObt2IysdXGRx/ytFaG0HBC97rHHhYRQvUcyEuRHP6h5yj8V.fH7XKEw5hjofVmYONw1'; > > var_dump(password_verify($p, $h2)); // Success since it has 1000 rounds > ?> > > Current password_verify() is using the same hard coded 1000 rounds > limitation, but > it could be relaxed. This would be the best solution. > Why should `password_verify()` work on a hash that wasn't generated with `password_hash()`? The fact that it uses `crypt()` internally should not leak outside of its API, imho. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > -- -- Tjerk --089e01293f2c80467304fe5a201b--