Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75732
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 868 invoked from network); 21 Jul 2014 00:05:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jul 2014 00:05:20 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.49 mail-la0-f49.google.com  
Received: from [209.85.215.49] ([209.85.215.49:41034] helo=mail-la0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 36/38-48607-E395CC35 for <internals@lists.php.net>; Sun, 20 Jul 2014 20:05:18 -0400
Received: by mail-la0-f49.google.com with SMTP id hz20so4192892lab.8
        for <internals@lists.php.net>; Sun, 20 Jul 2014 17:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Tc3Ny0rEc6S7uNhfHdAy8JaQCW0zbkZB6NoqdMH+DDw=;
        b=TTaYoHXK+UXOJNENrDXxnk2EpQlLN/afOZubqspph/bSlf7nElNyCeQjQJNzNay9lO
         IJMTsfQLKFOOdBtoriBrkav3qaFAZAZ7xX3BeqtRcnGCnOuX96DYIcrZZwBur361P689
         17wIFTU3W2dy9txfuGdz2JHBK8BQVubVY6xhOFl3iTNNJZNwA198nfX0m7TAf4O9wApr
         cf4LbnOtE2mGZhrzc9DU58VSOxG4y/O3V8olQIhQJvXS/srI1OXeXyFnfuRl3qQoshcX
         9us1WQ03QRyLrGlt/mIjGg7pjSHiRTJyovr94Neu3+gIjgDWIoHfZZM60lQfCrxmdou1
         l+RQ==
X-Received: by 10.152.206.105 with SMTP id ln9mr22669417lac.45.1405901114709;
 Sun, 20 Jul 2014 17:05:14 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Sun, 20 Jul 2014 17:04:34 -0700 (PDT)
In-Reply-To: <CAGa2bXaY1yq53OtpNjjgsR-7m5yMt5JYZt+kmVZoCuSkbVgUAQ@mail.gmail.com>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <CAESVnVqBxo0VCYM_4V4_KzrD1+-F-0ipumrr_a=mAwaYje10Og@mail.gmail.com>
 <CAGa2bXa48gEEcE_DWE27B3UHD0Yi12bFVZsx-9t_anHunkj5Dg@mail.gmail.com>
 <CAHMUw2FLW06ABT=1RoH2gMuM7HbGDdSnLzxqfv8wNVp0rzfw+Q@mail.gmail.com>
 <CAGa2bXZF5sznggoYRFTtngO32b60NVG=6KqUBDB3guGb7_8oMA@mail.gmail.com>
 <CAHMUw2GyQOevKfZXuyd7S-PPUnShVVeoRvZNHK3q9w1yEe1wow@mail.gmail.com>
 <CADajX4C9sip=57QGaacZVq9cmAFhH6CJWpvSSjB7c921TGsJMQ@mail.gmail.com>
 <CAAyV7nFva4u-pW0Ago-VpkJ=-RuBvE_fjCg27Wza8_T6M0oYHA@mail.gmail.com>
 <CAGa2bXYkdBjoSpDJekPq=hxbty7GexkjyJnPNpH4vM4+v-v64Q@mail.gmail.com>
 <CAAyV7nF6HcdUcx_nYC2=87mkEGNk2AAhz3vtH9VGY0orwnzY+w@mail.gmail.com>
 <CAGa2bXaJBKL8b=ewy1VY5kWZ5G__yr=4kpJrFfxBrxr3EbntaA@mail.gmail.com>
 <CAAyV7nFE8XMgejPeRj5+ie6X+YH_w4y+Un9nksDdkqF86oo4hg@mail.gmail.com> <CAGa2bXaY1yq53OtpNjjgsR-7m5yMt5JYZt+kmVZoCuSkbVgUAQ@mail.gmail.com>
Date: Mon, 21 Jul 2014 09:04:34 +0900
X-Google-Sender-Auth: aNLzbx3_Pnsf8YCIGRtrSvZaaeU
Message-ID: <CAGa2bXaZw-V6Jc6O4ajqbnBtJsrZF9mqoZtjegdJDjBMCspmaw@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Adam Harvey <aharvey@php.net>, Tjerk Meesters <tjerk.meesters@gmail.com>, 
	Sara Golemon <pollita@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11349758881fea04fea8dcdf
Subject: Re: [PHP-DEV] crypt() BC issue
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11349758881fea04fea8dcdf
Content-Type: text/plain; charset=UTF-8

Hi Anthony,

I want to finish and close this issue.

On Sun, Jul 20, 2014 at 9:33 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Also, Deprecating crypt() without first discussing it (and having an
>> RFC to vote on) is not cool (and has been reverted):
>>
>> http://svn.php.net/viewvc/phpdoc/en/trunk/reference/strings/functions/crypt.xml?r1=333973&r2=334296
>>
>
I wrote

"Use of <function>crypt</function> is deprecated."

not

"crypt() is deprecated". I didn't mean crypt() function deprecation. If
it's confusing, I don't mind at all to rewrite it.
BTW, what part is wrong?

It seems we have misunderstanding each other, but the basis is the same, I
suppose.

 - crypt() will remain
 - User/developer should use password_*()
 - It's not good idea to have PHP own crypt()

The differences are E_NOTICE and workaround, it seems.
IMO, password_hash() must raise E_NOTICE for too long password. Truncation
without error is
not an option for me. People write stupid code without internal knowledge.
Adding fixed salt was
common since crypt() was not good enough used to be. In addition, maximum
password length
is not decided by us, but decided by app developers. Therefore, we are
better to provide/explain
workaround for password_hash() limitation.

Prehash in PHP is not an option as we don't want PHP only crypt(). Prehash
by developer is
acceptable workaround for me. As you know, chars that are used in password
is limited. Some
developers even allow UTF-8 for password, structured encoding could reduce
total number of bits
in password hash with limited password length. Prehash with raw SHA512 will
give us adequate
data for PASSWORD_BCRYPT hashing regardless of password length.

Prehash ruins password_*() flexibility for sure, but there is workaround
also. Developer may use
timestamp to check new hash (e.g. 1024 bits hash, etc) should be used or
not.

If we don't want such workarounds, we may enable SHA512 hash for
password_hash() for those
who don't want password length limit.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11349758881fea04fea8dcdf--