hash() is for cryptographic hashes and checksums. crypt() only supports password hashing algorithms which should not be used as a cryptographic hash or checksum because they are purposefully slow.
> On 02/19/2022 7:16 PM Vasilii Shpilchin <vasilii.b.shpilc...@gmail.com> wrote: > > > Hashes are not for passwords only. For instance, hashes usually in use in > sharding and to calculate checksums. I suggest to add a warning to the > documentation, something like: if you need to hash a password, use > password_hash(). > > Best regards, > Vasilii. > > On Sat, Feb 19, 2022, 8:03 PM <st...@tobtu.com> wrote: > > > crypt() should be deprecate because it can be used to create bad password > > hashes: > > > > * descrypt: 12 bits of salt is too small and it's ~100x faster to crack > > than md5crypt. Which itself is too fast for password crackers (see > > CVE-2012-3287). > > * Extended DES: 24 bits of salt is too small. > > * md5crypt is too fast for password crackers (see CVE-2012-3287). > > * sha256crypt and sha512crypt are dangerous (see CVE-2016-20013). > > > > Since password_verify() and password_needs_rehash() already supports > > hashes created with crypt(), the only thing needed to do is remove crypt(). > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: https://www.php.net/unsub.php > > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
