Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-10-24 Thread Yasuo Ohgaki
Hi all, On Wed, Oct 23, 2013 at 2:11 AM, Adam Harvey wrote: > "Generating an insecure weak hash as no salt was given: please ensure > the salt parameter is specified and uses a strong hash type in order > to generate a cryptographically secure hash" > I guess this would be one of the longest er

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-10-22 Thread Andrea Faulds
On 22/10/2013 07:10, Yasuo Ohgaki wrote: Hi all, Any comments patch for this RFC? Better E_NOTICE message is welcome. I'm a native English speaker, how about "Calling crypt() without giving a salt will not produce strong password hashes."? It doesn't necessarily say you will produce a stro

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-10-07 Thread Yasuo Ohgaki
Hi all, Vote period is ended and the result was 0 Generate strong salt by default 12 Generate E_NOTICE error 2 Keep current behavior (Use weak hash) I'll prepare patch for it later. Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net On Wed, Sep 25, 2013 at 1:17 PM, Yasuo Ohgaki wrote: > Hi

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-09-24 Thread Yasuo Ohgaki
Hi Alexey, On Tue, Sep 24, 2013 at 11:22 PM, Alexey Zakhlestin wrote: > strangely, this RFC is not shown in "In voting phase" section here: > https://wiki.php.net/rfc > is that done manually? > I should have done this. Thank you for point it out. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-09-24 Thread Alexey Zakhlestin
On 24.09.2013, at 5:41, Yasuo Ohgaki wrote: > Hi all, > > It's been a whole from the discussion. > I setup vote for RFC: Change crypt() behavior w/o salt. > > https://wiki.php.net/rfc/crypt_function_salt > > If I missed something, please let me know. strangely, this RFC is not shown in "In v

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-09-24 Thread William Bartlett
I think BC (like requiring salt) are unnecessary given that password_* functions already exist with salt enabled by default. But an E_NOTICE isn't a bad idea. -- William Bartlett College of Engineering | Cornell University '14 240-432-5189 On Mon, Sep 23, 2013 at 10:47 PM, Pierre Joye wrote:

Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-09-23 Thread Pierre Joye
On Sep 23, 2013 6:42 PM, "Yasuo Ohgaki" wrote: > > Hi all, > > It's been a whole from the discussion. > I setup vote for RFC: Change crypt() behavior w/o salt. > > https://wiki.php.net/rfc/crypt_function_salt > > If I missed something, please let me know. Thank you for pushing this RFC so far! O

[PHP-DEV] [VOTE] Change crypt() behavior w/o salt

2013-09-23 Thread Yasuo Ohgaki
Hi all, It's been a whole from the discussion. I setup vote for RFC: Change crypt() behavior w/o salt. https://wiki.php.net/rfc/crypt_function_salt If I missed something, please let me know. Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net