On 31 July 2012 18:21, Anthony Ferrara <ircmax...@gmail.com> wrote: *snip*
> > Also, be aware that BCrypt only uses the first 72 characters of the > password field. So if you use a hex encoded sha512 output, a good deal of > entropy would be lost (almost half of it)... > Seeing as the hashing function will default (at first, at least) to bcrypt, would it be possible to add a warning if it's given an input longer than 72 chars? Preferably make the function context-aware so you don't get the same warning if using sha512. Otherwise I predict that someone will do: $hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT); Which obviously renders the hashing useless, as you'll be hashing the same 72 chars over and over again. Which, currently, crypt() let's you get away with without as much as a hiccup. Regards Peter -- <hype> WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 </hype> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
