On Jul 19, 2014 11:45 AM, "Yasuo Ohgaki" <yohg...@ohgaki.net> wrote: > > Hi Nikita, > > On Sat, Jul 19, 2014 at 2:46 PM, Nikita Popov <nikita....@gmail.com> wrote: > > > I'm against adding this notice to password_hash. This will require all > > applications to ensure that passwords are shorter than 72 chars. I don't > > think that's a good idea. > > > Generally speaking, it would not be serious issue. 72 bytes constant prefix > would > not be used most likely. > > However, bug like this in "authentication" code must be detected and > fixed. > If password should be truncated, it should be truncated by app developers > explicitly and > notified users that their password had been truncated. IMHO. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net
Hi, There's already a notice about this in the password_hash() docs, one that almost looks like is designed to scare users, which is bad. Throwing an E_NOTICE will cause more problems than it would supposedly solve. Application developers should just state this limitation on their registration/password change pages, anything else is pointless. Cheers, Andrey.
