Hi Sara,
On Thu, Jul 17, 2014 at 8:53 AM, Sara Golemon <[email protected]> wrote:
> At the risk of perhaps missing the point, wouldn't it be more useful
> to encourage users in some way (perhaps through documentation only) to
> use password_hash()/password_verify() instead? It was designed with
> migration paths in mind.
>
I'll add them.
> Apps which are currently using crypt() for their own password systems
> (the ones you would have migrate to crypt() + 1000 rounds) should be
> pointed at the right solution, not placated with an "okay for now, but
> may need to be migrated again later" route.
>
> As far as I'm aware, the only reason for not marking crypt()
> E_DEPRECATED right now is for compatibility with external systems, and
> as far as those go, changing a default won't effect anything.
>
Instead of relaxing crypt(), how about relax password_verify()?
<?php
$h='$6$rounds=10$qNElXs2yMnL2.GNS3kiM7DqmGbFLdQfIwu2691aJgT3xgJazPLtw7RPKz3Dp8RIc4b5fmJ7qvlq/mPN8a.rE40';
$p='salasana';
$c=crypt($p,$h);
echo "HASH: $h\n";
echo "CRYPT: $c\n";
if ($c == $h) {
echo "MATCH OK\n";
} else {
echo "NO MATCH\n";
}
var_dump(password_verify($p, $h)); // Fails since password_verify() is
crypt() wrapper
$h2='$6$rounds=1000$qNElXs2yMnL2.GNS$/q7trYkbKkoJernsumbObt2IysdXGRx/ytFaG0HBC97rHHhYRQvUcyEuRHP6h5yj8V.fH7XKEw5hjofVmYONw1';
var_dump(password_verify($p, $h2)); // Success since it has 1000 rounds
?>
Current password_verify() is using the same hard coded 1000 rounds
limitation, but
it could be relaxed. This would be the best solution.
Regards,
--
Yasuo Ohgaki
[email protected]
