On Sun, 9 Feb 2025 at 20:58, Rob Landers wrote:
> I fully agree with you, however it is also the default password hashing
> algorithm. People may not read the docs and assume a generic implementation
> that isn’t constrained. Since it is the default and has constraints, we
> should probably at
On Sun, Feb 9, 2025, at 16:20, Kamil Tekiela wrote:
> Hi,
>
> I would say that this is a pretty bad idea. 72 bytes of entropy are
> quite a lot for *PASSWORDS*. Even if some users use a pass phrase
> longer than that, the first 72 bytes are enough to provide sufficient
> security. People who use
Hi,
I would say that this is a pretty bad idea. 72 bytes of entropy are
quite a lot for *PASSWORDS*. Even if some users use a pass phrase
longer than that, the first 72 bytes are enough to provide sufficient
security. People who use it for other stuff, like in the linked
article, are only to blame
Hello internals,
I saw the following on hacker-news the other day:
https://news.ycombinator.com/item?id=42955176
In the article it talks about how many implementations do not emit a warning,
and PHP is one of them (though the author didn't cover php explicitly).
You can see this play out here:
