Hi all, On Wed, Jul 16, 2014 at 9:46 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> crypt() has BC issue with older systems. > > https://bugs.php.net/bug.php?id=62372&edit=1 > > The reason rounds became 1000 from 10 is hardcoded lower limit for newer > PHPs. > Generally speaking, developer should never use less than 1000 rounds and > better to have > at least few thousands rounds or more, tens of thousands or more is > recommended. > > I would like to make this bug report 'wont fix', since migration is > possible. > > - Developer may use larger rounds and store updated hash when > user is authenticated with old PHP. > - Developer may ask users to reset password if password hash has > to fewer rounds than 1000 (i.e. outdated hash) with new PHP. > > Any comments? > I'm not going to touch crypt(), but password_hash() behavior that truncates byte larger than 72 silently is not good. I made a bug report for this to add E_NOTICE. https://bugs.php.net/bug.php?id=67653 Any comments? If not, I'll add E_NOTICE in a few days. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
