compatibility with sha512 #71
Conversation
| case PASSWORD_SHA512: | ||
| // Note that this is a C constant, but not exposed to PHP, so we don't define it here. | ||
| $rounds = 5000; | ||
| if (isset($options['rounds'])) { |
There was a problem hiding this comment.
Shouldn't this be done in the same way as on line 232, for consistency? Or the other way around.
$rounds = isset($options['rounds']) ? $options['rounds'] : 5000;There was a problem hiding this comment.
I now read the code for bcrypt above, and you're consistent with that implementation. Maybe both should be rewritten? But that should probably go into another issue.
There was a problem hiding this comment.
I don't think either of them should be rewritten. In the password_hash() function we're just setting a default value but afterwards checking the value provided in the $options array for validity. In password_needs_rehash() we're effectively checking if the rounds (or cost) in the hash needs to be changed.
|
My thoughts are as follows: http://php.net/manual/en/function.crypt.php#refsect1-function.crypt-changelog First and foremost, But even if that were not the case: http://php.net/manual/en/function.password-hash.php - only supports Since this library is a compatibility layer, it should not seek to introduce functionality that the target library does not, itself, support. Therefore, if this patch is going to be merged, then PHP's |
|
@sarciszewski I do agree that ideally the change should go into php as well. I was already looking at patching the source but I am no skilled C developer and time is short right now unfortunately. I will continue with that when I have more time on my hands though. In any case, I'd first like to see how this plays out to see if it would even be acceptable for upstream php. |
|
I see. I would leave that decision with @ircmaxell and @rlerdorf -- I can Does password_verify() validate non-bcrypt hashes? I'm on my phone and @sarciszewski https://github.com/sarciszewski I do agree that ideally the change should go into php as well. I was — |
|
I am a strong -1 on this. Why would we want to add support for a demonstrably weaker alternative? If you have compatibility needs (with other applications/systems that don't support bcrypt), then you don't have the same problem that this API was designed for. I'd rather not add support for a weaker alternative to this API, and rather would have people with those needs use a different library (like my PasswordLib).
I would argue that the request should be to make those stronger, not make us weaker. |
Yes. However that fact should not be relied upon and is undocumented. This may change in a future version. |
|
@ircmaxell password_verify() relies on crypt(). And password_hash() is documented to be compatible with crypt(). crypt() in turn is documented to be compatible with a number of hashing algorithms, including sha512. |
|
I have to agree with @ircmaxell here. Sorry. ;) |
Again, then I would suggest having them improve their systems rather than reducing the strength of ours.
Today. As an implementation detail. This is not documented, and nor should be relied upon.
In that the results of
Correct. But |
👍 |
These changes add support for sha512 hashing algorithm. This is often required for compatibility with applications that don't support bcrypt.
I am far from an expert on this level, but these changes work fine on our setup. What are your thoughts?