Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75756
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67050 invoked from network); 21 Jul 2014 09:45:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jul 2014 09:45:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com  
Received: from [209.85.217.169] ([209.85.217.169:61585] helo=mail-lb0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E6/33-51736-741ECC35 for <internals@lists.php.net>; Mon, 21 Jul 2014 05:45:43 -0400
Received: by mail-lb0-f169.google.com with SMTP id s7so4562972lbd.14
        for <internals@lists.php.net>; Mon, 21 Jul 2014 02:45:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=vAtonn0VKVQ4R6fMeXZ451juTHp4uu9Gp//JwC/JhsI=;
        b=VYy9tmrIkKkE5st6r5hBfBThRffCCYOANLfW/8kBbzKx8I3iE5gl+ZaDHh5rnBJDSL
         vtJeUIq/x11UDqlZ5/l4B4Fa1ryYPuHCJKsh3PSCpnWOTLDOVxxQxJOXspowUexzxnQp
         8sOWAcRKZfm71dchy9X22xyMdPQbjJz7GU1c//P5CPJDGqFA4PSH5G8Qm2NWjkvN7JoL
         UgPZwEBn6qjhN2mg0VUaD7Y/bsttYOWMpElZRNivQmDDSbNVCfbaFrilr6f7SAzU2poU
         XuWQxi6qVLNTlK1+avn6PnwBgfUyGLYooZ8sfOx10yWgh7oIjYvCOfKOk65CFQ5HdEwU
         z0+w==
X-Received: by 10.152.163.33 with SMTP id yf1mr1394950lab.6.1405935939522;
 Mon, 21 Jul 2014 02:45:39 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.128.202 with HTTP; Mon, 21 Jul 2014 02:44:59 -0700 (PDT)
In-Reply-To: <CAGa2bXYQ4pdv2TmujSc48R_z0jGFtO9BHPVvinmjUz+c9ZeTXw@mail.gmail.com>
References: <CAGa2bXYP4L-EVjqiTvrOjbiRvzQJ7zyTQyu78O1AEEkk7nwEhQ@mail.gmail.com>
 <CAESVnVqBxo0VCYM_4V4_KzrD1+-F-0ipumrr_a=mAwaYje10Og@mail.gmail.com>
 <CAGa2bXa48gEEcE_DWE27B3UHD0Yi12bFVZsx-9t_anHunkj5Dg@mail.gmail.com>
 <CAHMUw2FLW06ABT=1RoH2gMuM7HbGDdSnLzxqfv8wNVp0rzfw+Q@mail.gmail.com>
 <CAGa2bXZF5sznggoYRFTtngO32b60NVG=6KqUBDB3guGb7_8oMA@mail.gmail.com>
 <CAHMUw2GyQOevKfZXuyd7S-PPUnShVVeoRvZNHK3q9w1yEe1wow@mail.gmail.com>
 <CADajX4C9sip=57QGaacZVq9cmAFhH6CJWpvSSjB7c921TGsJMQ@mail.gmail.com>
 <CAAyV7nFva4u-pW0Ago-VpkJ=-RuBvE_fjCg27Wza8_T6M0oYHA@mail.gmail.com>
 <CAGa2bXYkdBjoSpDJekPq=hxbty7GexkjyJnPNpH4vM4+v-v64Q@mail.gmail.com>
 <CAAyV7nF6HcdUcx_nYC2=87mkEGNk2AAhz3vtH9VGY0orwnzY+w@mail.gmail.com>
 <CAGa2bXaJBKL8b=ewy1VY5kWZ5G__yr=4kpJrFfxBrxr3EbntaA@mail.gmail.com>
 <CAAyV7nFE8XMgejPeRj5+ie6X+YH_w4y+Un9nksDdkqF86oo4hg@mail.gmail.com>
 <CAGa2bXaY1yq53OtpNjjgsR-7m5yMt5JYZt+kmVZoCuSkbVgUAQ@mail.gmail.com>
 <CAGa2bXaZw-V6Jc6O4ajqbnBtJsrZF9mqoZtjegdJDjBMCspmaw@mail.gmail.com>
 <A5BC162E-17A2-4C2F-BD51-AF0E399EF59B@gmail.com> <CAGa2bXYQ4pdv2TmujSc48R_z0jGFtO9BHPVvinmjUz+c9ZeTXw@mail.gmail.com>
Date: Mon, 21 Jul 2014 18:44:59 +0900
X-Google-Sender-Auth: 0n0VtdvkHFq_i3z0lgZwHajCZzc
Message-ID: <CAGa2bXZc6OQE6umq8WjESqs5=w3XgEfKM1tV4oPeT_iMLW24cA@mail.gmail.com>
To: David Muir <davidkmuir@gmail.com>
Cc: Anthony Ferrara <ircmaxell@gmail.com>, Adam Harvey <aharvey@php.net>, 
	Tjerk Meesters <tjerk.meesters@gmail.com>, Sara Golemon <pollita@php.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11340764409a6604feb0f85d
Subject: Re: [PHP-DEV] crypt() BC issue
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11340764409a6604feb0f85d
Content-Type: text/plain; charset=UTF-8

Hi all,

On Mon, Jul 21, 2014 at 3:17 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> In old days, crypt() was unusable securely. There are many
> users/developers that
> are used to have static slat. Code like below disables authentication
> completely.
>
> password_hash(hash('sha512', SOME_SECRET_SALT).$password, DEFAULT);
>
> This should be prevented. (I would like to prevent it by raising E_NOTICE
> error)
>

E_NOTICE for password larger than 72 is mandatory. Current password_hash()
works without any sign of problem even if it may not be working as
authentication.
I'll add E_NOTICE as bug fix if there aren't any more comments.

If we would like to recommend "Just use it", we may consider adding SHA512
> to password_hash().
>

This one needs RFC, but I'm OK with prehashing in userland.
Please write RFC and implement it if you are willing to have this.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11340764409a6604feb0f85d--