Re: Re: crypt() BC issue

From:	Yasuo Ohgaki	Date:	Sat, 19 Jul 2014 08:44:14 +0000
Subject:	Re: Re: crypt() BC issue
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to internals+get-75695@lists.php.net to get a copy of this message

Hi Nikita,

On Sat, Jul 19, 2014 at 2:46 PM, Nikita Popov <nikita.ppv@gmail.com> wrote:

> I'm against adding this notice to password_hash. This will require all
> applications to ensure that passwords are shorter than 72 chars. I don't
> think that's a good idea.


Generally speaking, it would not be serious issue. 72 bytes constant prefix
would
not be used most likely.

However, bug like this in "authentication" code must be detected  and
fixed.
If password should be truncated, it should be truncated by app developers
explicitly and
notified users that their password had been truncated.  IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (32 messages)

• Yasuo OhgakiWed, 16 Jul 2014 00:46:54 +0000
  • Andrea FauldsWed, 16 Jul 2014 01:12:34 +0000
    • Yasuo OhgakiWed, 16 Jul 2014 01:45:24 +0000
      • Andrea FauldsWed, 16 Jul 2014 01:47:45 +0000
        • Yasuo OhgakiWed, 16 Jul 2014 01:54:47 +0000
  • Sara GolemonWed, 16 Jul 2014 23:53:07 +0000
    • Yasuo OhgakiThu, 17 Jul 2014 01:06:40 +0000
      • Tjerk MeestersThu, 17 Jul 2014 02:09:12 +0000
        • Yasuo OhgakiThu, 17 Jul 2014 02:25:06 +0000
          • Tjerk MeestersThu, 17 Jul 2014 06:16:38 +0000
            • Yasuo OhgakiThu, 17 Jul 2014 10:31:53 +0000
            • Adam HarveyThu, 17 Jul 2014 17:50:29 +0000
              • Anthony FerraraThu, 17 Jul 2014 19:38:23 +0000
                • Yasuo OhgakiThu, 17 Jul 2014 21:12:14 +0000
                  • Anthony FerraraThu, 17 Jul 2014 21:56:52 +0000
                    • Yasuo OhgakiSat, 19 Jul 2014 01:59:24 +0000
                      • Anthony FerraraSat, 19 Jul 2014 15:27:40 +0000
                        • Yasuo OhgakiSun, 20 Jul 2014 00:33:53 +0000
                          • Yasuo OhgakiMon, 21 Jul 2014 00:04:34 +0000
                            • David MuirMon, 21 Jul 2014 05:53:34 +0000
                              • Yasuo OhgakiMon, 21 Jul 2014 06:17:01 +0000
                                • Yasuo OhgakiMon, 21 Jul 2014 09:44:59 +0000
                                  • Anthony FerraraMon, 21 Jul 2014 14:32:10 +0000
                                    • Yasuo OhgakiTue, 22 Jul 2014 03:00:23 +0000
                                      • Pierre JoyeTue, 22 Jul 2014 03:12:38 +0000
                                    • Yasuo OhgakiTue, 22 Jul 2014 07:49:37 +0000
                                      • Anthony FerraraTue, 22 Jul 2014 14:27:25 +0000
                                        • Yasuo OhgakiWed, 23 Jul 2014 01:57:42 +0000
  • Yasuo OhgakiSat, 19 Jul 2014 02:15:01 +0000Re: crypt() BC issue
    • Nikita PopovSat, 19 Jul 2014 05:46:22 +0000Re: Re: crypt() BC issue
      • Yasuo OhgakiSat, 19 Jul 2014 08:44:14 +0000
        • Andrey AndreevSat, 19 Jul 2014 11:50:25 +0000