On Sat, Jul 19, 2014 at 4:15 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > On Wed, Jul 16, 2014 at 9:46 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > crypt() has BC issue with older systems. > > > > https://bugs.php.net/bug.php?id=62372&edit=1 > > > > The reason rounds became 1000 from 10 is hardcoded lower limit for newer > > PHPs. > > Generally speaking, developer should never use less than 1000 rounds and > > better to have > > at least few thousands rounds or more, tens of thousands or more is > > recommended. > > > > I would like to make this bug report 'wont fix', since migration is > > possible. > > > > - Developer may use larger rounds and store updated hash when > > user is authenticated with old PHP. > > - Developer may ask users to reset password if password hash has > > to fewer rounds than 1000 (i.e. outdated hash) with new PHP. > > > > Any comments? > > > > I'm not going to touch crypt(), but password_hash() behavior that truncates > byte larger than 72 > silently is not good. > > I made a bug report for this to add E_NOTICE. > https://bugs.php.net/bug.php?id=67653 > > Any comments? If not, I'll add E_NOTICE in a few days. > I'm against adding this notice to password_hash. This will require all applications to ensure that passwords are shorter than 72 chars. I don't think that's a good idea. Nikita
