Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75694 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60556 invoked from network); 19 Jul 2014 05:46:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jul 2014 05:46:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.42 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.219.42 mail-oa0-f42.google.com Received: from [209.85.219.42] ([209.85.219.42:43713] helo=mail-oa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AF/83-30992-1360AC35 for ; Sat, 19 Jul 2014 01:46:26 -0400 Received: by mail-oa0-f42.google.com with SMTP id n16so4658878oag.15 for ; Fri, 18 Jul 2014 22:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aKelDaHQs2DhvyN+ULFcmjG5DEUMM6lQa61XV7ET+J0=; b=MWOPj0y5QQmCW2gWCK/MdZ5gwpijf11nyMHsw1KFCcU6tng6Fut8wmv1PdSYAPD9dk FqB1PzTFbwmbi+Qs3fmfUsiTcgcfsC62voXuBsAxt6D4Eq3kBtzi4p8uHduder2KFDcB xyj5ca24TuiWVRKIFeXWmPAae2ylVzrsT7GuMUX2ya16ls245Lf2HFls03rRsrftjBbv GBHm7GFUMN+C3VOzvypOMJUn4PEmyI9j37badxpAkD8+kZjgwoO/NNc3SkZMF2kj5lfn GgXT/Zuui0IfnlYYNFe5qdfVFDI0Ymtjn61Kal40nePbOu1Ei6Dz2V+xoYgV1r6jxUfj Dn0A== MIME-Version: 1.0 X-Received: by 10.182.118.193 with SMTP id ko1mr13334541obb.45.1405748782842; Fri, 18 Jul 2014 22:46:22 -0700 (PDT) Received: by 10.182.132.2 with HTTP; Fri, 18 Jul 2014 22:46:22 -0700 (PDT) In-Reply-To: References: Date: Sat, 19 Jul 2014 07:46:22 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0115ea30d84a1d04fe856437 Subject: Re: [PHP-DEV] Re: crypt() BC issue From: nikita.ppv@gmail.com (Nikita Popov) --089e0115ea30d84a1d04fe856437 Content-Type: text/plain; charset=UTF-8 On Sat, Jul 19, 2014 at 4:15 AM, Yasuo Ohgaki wrote: > Hi all, > > On Wed, Jul 16, 2014 at 9:46 AM, Yasuo Ohgaki wrote: > > > crypt() has BC issue with older systems. > > > > https://bugs.php.net/bug.php?id=62372&edit=1 > > > > The reason rounds became 1000 from 10 is hardcoded lower limit for newer > > PHPs. > > Generally speaking, developer should never use less than 1000 rounds and > > better to have > > at least few thousands rounds or more, tens of thousands or more is > > recommended. > > > > I would like to make this bug report 'wont fix', since migration is > > possible. > > > > - Developer may use larger rounds and store updated hash when > > user is authenticated with old PHP. > > - Developer may ask users to reset password if password hash has > > to fewer rounds than 1000 (i.e. outdated hash) with new PHP. > > > > Any comments? > > > > I'm not going to touch crypt(), but password_hash() behavior that truncates > byte larger than 72 > silently is not good. > > I made a bug report for this to add E_NOTICE. > https://bugs.php.net/bug.php?id=67653 > > Any comments? If not, I'll add E_NOTICE in a few days. > I'm against adding this notice to password_hash. This will require all applications to ensure that passwords are shorter than 72 chars. I don't think that's a good idea. Nikita --089e0115ea30d84a1d04fe856437--