Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75640 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19769 invoked from network); 17 Jul 2014 06:16:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2014 06:16:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.182 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.220.182 mail-vc0-f182.google.com Received: from [209.85.220.182] ([209.85.220.182:53995] helo=mail-vc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C6/E1-09067-94A67C35 for ; Thu, 17 Jul 2014 02:16:42 -0400 Received: by mail-vc0-f182.google.com with SMTP id hy4so3718779vcb.13 for ; Wed, 16 Jul 2014 23:16:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dsUrJUkAa0Na2U8+7LjIUlkNAyyAjTKzX9vCWOLmM54=; b=QkM6UH28unRKofQeCAhfDJdlJsmPcTFADcz0UmUKEpuASIxV9haT/XSiVuzeG6uWOo b4Ra1A9XiEtkzcFGVvJ+FikpibRU1ZYXxzOIeB48BCMMLkq4b6ddaC0WUC+Wn6CfoWxC sShR/0ZWoz+y9YHXSXN5Ag7fQVMHIq49G1yxBuXFZcNs8Ta/8FTQsELGudfO2t/E3G8F t+DTltYSv8OMu1pGYwU9LmZbyo/FuB9L2w82jRaCeMY42DPXYyJzT/pklQ2xbsTWc4h6 Q9hn+BU3q8xIzledrCWyYwfOy0cgNbMSS1ANbz/ic5iDShmuw3X2j90vgVB/KaE3Ib8V Z7Ng== MIME-Version: 1.0 X-Received: by 10.220.44.20 with SMTP id y20mr14627220vce.60.1405577798522; Wed, 16 Jul 2014 23:16:38 -0700 (PDT) Received: by 10.58.89.170 with HTTP; Wed, 16 Jul 2014 23:16:38 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Jul 2014 14:16:38 +0800 Message-ID: To: Yasuo Ohgaki Cc: Sara Golemon , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7b3a98d0629fd004fe5d9579 Subject: Re: [PHP-DEV] crypt() BC issue From: tjerk.meesters@gmail.com (Tjerk Meesters) --047d7b3a98d0629fd004fe5d9579 Content-Type: text/plain; charset=UTF-8 On Thu, Jul 17, 2014 at 10:25 AM, Yasuo Ohgaki wrote: > Hi Tjerk, > > On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters > wrote: > >> Why should `password_verify()` work on a hash that wasn't generated with >> `password_hash()`? The fact that it uses `crypt()` internally should not >> leak outside of its API, imho. > > > password_*() is designed as crypt() wrapper and this fact is documented > since it was released. > > Obsolete password hash is easy to verify with password_needs_rehash(). > Developers can check password database easily with password_needs_rehash(). > The documentation states that the `hash` argument to both `password_needs_rehash()` and `password_verify()` is: hash - A hash created by password_hash(). Passing a value from your own crypt() implementation may work, but that shouldn't be relied upon. I certainly wouldn't classify it as a problem that should be fixed in the password api. i.e. They don't have to parse password hash to detect obsolete hash. > > Therefore, using password_*() for crypt() generated passwords makes sense. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > -- -- Tjerk --047d7b3a98d0629fd004fe5d9579--