Hashes are not for passwords only. For instance, hashes usually in use in sharding and to calculate checksums. I suggest to add a warning to the documentation, something like: if you need to hash a password, use password_hash().
Best regards, Vasilii. On Sat, Feb 19, 2022, 8:03 PM <st...@tobtu.com> wrote: > crypt() should be deprecate because it can be used to create bad password > hashes: > > * descrypt: 12 bits of salt is too small and it's ~100x faster to crack > than md5crypt. Which itself is too fast for password crackers (see > CVE-2012-3287). > * Extended DES: 24 bits of salt is too small. > * md5crypt is too fast for password crackers (see CVE-2012-3287). > * sha256crypt and sha512crypt are dangerous (see CVE-2016-20013). > > Since password_verify() and password_needs_rehash() already supports > hashes created with crypt(), the only thing needed to do is remove crypt(). > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > >
