crypt() BC issue

From:	Yasuo Ohgaki	Date:	Wed, 16 Jul 2014 00:46:54 +0000
Subject:	crypt() BC issue
Groups:	php.internals
Request:	Send a blank email to internals+get-75570@lists.php.net to get a copy of this message

Hi all,

crypt() has BC issue with older systems.

https://bugs.php.net/bug.php?id=62372&edit=1

The reason rounds became 1000 from 10 is hardcoded lower limit for newer
PHPs.
Generally speaking, developer should never use less than 1000 rounds and
better to have
at least few thousands rounds or more, tens of thousands or more is
recommended.

I would like to make this bug report 'wont fix', since migration is
possible.

 - Developer may use larger rounds and store updated hash when
   user is authenticated with old PHP.
 - Developer may ask users to reset password if password hash has
   to fewer rounds than 1000 (i.e. outdated hash) with new PHP.

Any comments?

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (32 messages)

• Yasuo OhgakiWed, 16 Jul 2014 00:46:54 +0000
  • Andrea FauldsWed, 16 Jul 2014 01:12:34 +0000
    • Yasuo OhgakiWed, 16 Jul 2014 01:45:24 +0000
      • Andrea FauldsWed, 16 Jul 2014 01:47:45 +0000
        • Yasuo OhgakiWed, 16 Jul 2014 01:54:47 +0000
  • Sara GolemonWed, 16 Jul 2014 23:53:07 +0000
    • Yasuo OhgakiThu, 17 Jul 2014 01:06:40 +0000
      • Tjerk MeestersThu, 17 Jul 2014 02:09:12 +0000
        • Yasuo OhgakiThu, 17 Jul 2014 02:25:06 +0000
          • Tjerk MeestersThu, 17 Jul 2014 06:16:38 +0000
            • Yasuo OhgakiThu, 17 Jul 2014 10:31:53 +0000
            • Adam HarveyThu, 17 Jul 2014 17:50:29 +0000
              • Anthony FerraraThu, 17 Jul 2014 19:38:23 +0000
                • Yasuo OhgakiThu, 17 Jul 2014 21:12:14 +0000
                  • Anthony FerraraThu, 17 Jul 2014 21:56:52 +0000
                    • Yasuo OhgakiSat, 19 Jul 2014 01:59:24 +0000
                      • Anthony FerraraSat, 19 Jul 2014 15:27:40 +0000
                        • Yasuo OhgakiSun, 20 Jul 2014 00:33:53 +0000
                          • Yasuo OhgakiMon, 21 Jul 2014 00:04:34 +0000
                            • David MuirMon, 21 Jul 2014 05:53:34 +0000
                              • Yasuo OhgakiMon, 21 Jul 2014 06:17:01 +0000
                                • Yasuo OhgakiMon, 21 Jul 2014 09:44:59 +0000
                                  • Anthony FerraraMon, 21 Jul 2014 14:32:10 +0000
                                    • Yasuo OhgakiTue, 22 Jul 2014 03:00:23 +0000
                                      • Pierre JoyeTue, 22 Jul 2014 03:12:38 +0000
                                    • Yasuo OhgakiTue, 22 Jul 2014 07:49:37 +0000
                                      • Anthony FerraraTue, 22 Jul 2014 14:27:25 +0000
                                        • Yasuo OhgakiWed, 23 Jul 2014 01:57:42 +0000
  • Yasuo OhgakiSat, 19 Jul 2014 02:15:01 +0000Re: crypt() BC issue
    • Nikita PopovSat, 19 Jul 2014 05:46:22 +0000Re: Re: crypt() BC issue
      • Yasuo OhgakiSat, 19 Jul 2014 08:44:14 +0000
        • Andrey AndreevSat, 19 Jul 2014 11:50:25 +0000