Hi all,
On Mon, Jul 21, 2014 at 3:17 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> In old days, crypt() was unusable securely. There are many
> users/developers that
> are used to have static slat. Code like below disables authentication
> completely.
>
> password_hash(hash('sha512', SOME_SECRET_SALT).$password, DEFAULT);
>
> This should be prevented. (I would like to prevent it by raising E_NOTICE
> error)
>
E_NOTICE for password larger than 72 is mandatory. Current password_hash()
works without any sign of problem even if it may not be working as
authentication.
I'll add E_NOTICE as bug fix if there aren't any more comments.
If we would like to recommend "Just use it", we may consider adding SHA512
> to password_hash().
>
This one needs RFC, but I'm OK with prehashing in userland.
Please write RFC and implement it if you are willing to have this.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
