Hi Nikita, On Sat, Jul 19, 2014 at 2:46 PM, Nikita Popov <nikita....@gmail.com> wrote:
> I'm against adding this notice to password_hash. This will require all > applications to ensure that passwords are shorter than 72 chars. I don't > think that's a good idea. Generally speaking, it would not be serious issue. 72 bytes constant prefix would not be used most likely. However, bug like this in "authentication" code must be detected and fixed. If password should be truncated, it should be truncated by app developers explicitly and notified users that their password had been truncated. IMHO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
