Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75627 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87849 invoked from network); 17 Jul 2014 02:25:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2014 02:25:51 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:37926] helo=mail-la0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 35/B0-19007-D2437C35 for ; Wed, 16 Jul 2014 22:25:50 -0400 Received: by mail-la0-f42.google.com with SMTP id pv20so752990lab.15 for ; Wed, 16 Jul 2014 19:25:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=TEIfEXE994hhg5C4Iszcw0wS3t8T82S1hhCfez18Kyw=; b=jlMkeKtxMzWO3qsnkI6rEMlQAg9Vj3diWQal3W9bmOvSZ3j2Lz7egPE20tVMG86o75 YCS5fdC/2Yo+Kfqn5JoYQNWRsNu9VzncURSUfg7DWsPcyitIXOW6ptTXI4HiG4NF7dIP IgTpY43USlFuQT13lZFnnvNsPEasQbKWy10tfXY2KirgcIvAsu11q1KrSOlaFG89ghps h4ZTvlFoD7auFH86hgM7PFb6pbX/fW7uE0+NMF3MBsCfCHYO4v2EgPdH7xPCTHhW+iUI t1EYUxZBEDhbDVcB7B4sKhIyojHj2vmNdOYLwCutY0nBh34d+AOPZop67D4wgAPhqkza HqIw== X-Received: by 10.152.87.207 with SMTP id ba15mr29044058lab.15.1405563946306; Wed, 16 Jul 2014 19:25:46 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.128.202 with HTTP; Wed, 16 Jul 2014 19:25:06 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Jul 2014 11:25:06 +0900 X-Google-Sender-Auth: ZY24N1HZeD8yq5mHoMvpWddgBc0 Message-ID: To: Tjerk Meesters Cc: Sara Golemon , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c23e6cba917204fe5a5bcf Subject: Re: [PHP-DEV] crypt() BC issue From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c23e6cba917204fe5a5bcf Content-Type: text/plain; charset=UTF-8 Hi Tjerk, On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters wrote: > Why should `password_verify()` work on a hash that wasn't generated with > `password_hash()`? The fact that it uses `crypt()` internally should not > leak outside of its API, imho. password_*() is designed as crypt() wrapper and this fact is documented since it was released. Obsolete password hash is easy to verify with password_needs_rehash(). Developers can check password database easily with password_needs_rehash(). i.e. They don't have to parse password hash to detect obsolete hash. Therefore, using password_*() for crypt() generated passwords makes sense. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c23e6cba917204fe5a5bcf--