Hi Tjerk, On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters <tjerk.meest...@gmail.com> wrote:
> Why should `password_verify()` work on a hash that wasn't generated with > `password_hash()`? The fact that it uses `crypt()` internally should not > leak outside of its API, imho. password_*() is designed as crypt() wrapper and this fact is documented since it was released. Obsolete password hash is easy to verify with password_needs_rehash(). Developers can check password database easily with password_needs_rehash(). i.e. They don't have to parse password hash to detect obsolete hash. Therefore, using password_*() for crypt() generated passwords makes sense. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
