On Mon, Aug 22, 2011 at 3:52 PM, Solar Designer <so...@openwall.com> wrote:
> On Mon, Aug 22, 2011 at 03:19:53PM +0200, Ferenc Kovacs wrote:
>> we expected this imo.
>> http://www.mail-archive.com/internals@lists.php.net/msg51683.html
>> http://www.mail-archive.com/internals@lists.php.net/msg51687.html
>
> Definitely.
>
>> On Mon, Aug 22, 2011 at 3:05 PM, Pierre Joye <pierre....@gmail.com> wrote:
>> > it seems that the changes break BC too, pls see
>> > https://bugs.php.net/bug.php?id=55477
>
> We may recommend to Christian to change $2a$ in existing hashes to $2x$ if
> the goal is to preserve compatibility for all old passwords despite of
> the security risk associated with doing so.  The change as implemented
> in PHP 5.3.7+ favors security and correctness over backwards compatibility,
> but it also lets users (admins of PHP app installs) use the new $2x$
> prefix on existing hashes to preserve backwards compatibility for those
> and incur the associated security risk until all such passwords are
> changed (using $2a$ or $2y$ for newly changed passwords).
>
> No change to the PHP code is needed.

Can you add this comment to the bug please? So every user reading it
will be informed. That's also something we have to document better.

> BTW, this is not the right thread to discuss this on (the "bug" has
> nothing to do with CRYPT_SHA256).


Oops, reply to the wrong one, sorry :)


-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to