Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75695
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67508 invoked from network); 19 Jul 2014 08:44:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jul 2014 08:44:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.52 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.52 mail-la0-f52.google.com  
Received: from [209.85.215.52] ([209.85.215.52:39460] helo=mail-la0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5C/00-00952-9003AC35 for <internals@lists.php.net>; Sat, 19 Jul 2014 04:44:59 -0400
Received: by mail-la0-f52.google.com with SMTP id e16so3574586lan.11
        for <internals@lists.php.net>; Sat, 19 Jul 2014 01:44:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Kt2LhS6zCBULNHtyLJ8l8WwlxDDlwIyWoxuN0ZYVKec=;
        b=k7I7i+zgfmVFWRuI7eUMjEvzreIi3DUmgEe4uZXwMm7e9YEueGJcBLB5WHgsmKqoVv
         fd2GIXYGXhmkDof+NKnYNpe8lgD9fcVH+O71xuKM4u3EnTExncWSE6hYICeg0w8TWMw8
         4HokDZzfjAB9HsADgLkY13i1AbemepUvirNbSGW7g9GF0fSg4V1yR0v0vi121Rtc2VgT
         t/Y5LF7OY+c7249lkcAIKTDCquiq/clucEkBgbqciAgqIqPoIipFOkTMVFDNOa7mAhny
         thHVzDnM6CDvIJkPXTGMyBQDzaXCvnyPzL+5WJYaKOdcVJH2MlZ76ggIx57NgiR9VPw9
         T/Wg==
X-Received: by 10.152.171.69 with SMTP id as5mr893554lac.94.1405759495209;
 Sat, 19 Jul 2014 01:44:55 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Sat, 19 Jul 2014 01:44:14 -0700 (PDT)
In-Reply-To: <CAF+90c-dZcDwrP=FosSR9=8RZdqWNTiP1y6t=E=m66FmV8u-9Q@mail.gmail.com>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <CAGa2bXbyRGWhtgu9t-D=qcf6nkBYHUNBpyfgCXkMLmFsgwcwuQ@mail.gmail.com> <CAF+90c-dZcDwrP=FosSR9=8RZdqWNTiP1y6t=E=m66FmV8u-9Q@mail.gmail.com>
Date: Sat, 19 Jul 2014 17:44:14 +0900
X-Google-Sender-Auth: iwcPBHta8NWZxeT9msWwHmciafc
Message-ID: <CAGa2bXZGNfcgdCcSkgM_Ue2QEFuSeAgaRePM1==6NiLd3AWC9w@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1134daee5a08ed04fe87e39d
Subject: Re: [PHP-DEV] Re: crypt() BC issue
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1134daee5a08ed04fe87e39d
Content-Type: text/plain; charset=UTF-8

Hi Nikita,

On Sat, Jul 19, 2014 at 2:46 PM, Nikita Popov <nikita.ppv@gmail.com> wrote:

> I'm against adding this notice to password_hash. This will require all
> applications to ensure that passwords are shorter than 72 chars. I don't
> think that's a good idea.


Generally speaking, it would not be serious issue. 72 bytes constant prefix
would
not be used most likely.

However, bug like this in "authentication" code must be detected  and
fixed.
If password should be truncated, it should be truncated by app developers
explicitly and
notified users that their password had been truncated.  IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1134daee5a08ed04fe87e39d--