Hi all, crypt() has BC issue with older systems.
https://bugs.php.net/bug.php?id=62372&edit=1 The reason rounds became 1000 from 10 is hardcoded lower limit for newer PHPs. Generally speaking, developer should never use less than 1000 rounds and better to have at least few thousands rounds or more, tens of thousands or more is recommended. I would like to make this bug report 'wont fix', since migration is possible. - Developer may use larger rounds and store updated hash when user is authenticated with old PHP. - Developer may ask users to reset password if password hash has to fewer rounds than 1000 (i.e. outdated hash) with new PHP. Any comments? -- Yasuo Ohgaki yohg...@ohgaki.net
