If crypt() is removed, you can still use password_verify() to verify all the password hashes created by crypt(). The only thing you lose is creating those bad password hashes. Which can be done in userland because most people aren't changing their passwords daily. So it will run that slow userland code infrequently. This will not help the nested bcrypt example. Well besides the last bcrypt call can be password_verify():
password_verify(crypt($password, $hash), $hash); > On 02/21/2022 4:10 AM Tim Düsterhus <t...@bastelstu.be> wrote: > > > Hi Marco > > On 2/21/22 10:15, Marco Pivetta wrote: > >> If it's not going to be removed, what's the point of annoying people > >> with deprecation warnings (that they would patch out/silence anyway)? > >> > > > > Probably to be removed in `9.0` or `10.0`? Yes, it should be removed at > > some point. > > In contrast to other deprecations (e.g. the utf8_encode/decode currently > discussed), deprecating and ultimately removing crypt() results in an > actual loss of functionality. > > Even if we leave out that home-grown nested BCrypt hashing out of the > picture, crypt() allows one to interoperate with non-PHP-software that > does not support BCrypt, but supports the SHA-X variants. I already > mentioned Dovecot as an example, but BCrypt support in glibc in general > is something that was added only somewhat recently (and I'm not even > sure if that's only for Debian-based systems or generally available [1]). > > Yes, users should just use password_hash() if they need to hash > passwords. Yes, the documentation for crypt() should more prominently > point to password_hash() as the better alternative. But if crypt()'s > features are what you need, then alternatives to crypt() (e.g. a > userland implementation or FFI) certainly are going to be even worse. > > Best regards > Tim Düsterhus > > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=16814 > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
