Hi Andrea, On Wed, Jul 16, 2014 at 10:12 AM, Andrea Faulds <a...@ajf.me> wrote:
> > - Developer may use larger rounds and store updated hash when > > user is authenticated with old PHP. > > - Developer may ask users to reset password if password hash has > > to fewer rounds than 1000 (i.e. outdated hash) with new PHP. > > Wait, doesn’t that mean you’re unable to verify passwords now? It means old PHP users may need preparation for their apps to migrate newer PHP. If developer upgrades PHP blindly, they may see a lots of failed logins. This change was done while ago, so it would not worth the effort to relax the requirement now. IMHO. We may add optional flag to relax the limitation, though. I don't mind modifying crypt() or adding migration INI setting. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
