2011/8/22 Solar Designer <so...@openwall.com>: > On Mon, Aug 22, 2011 at 04:01:46PM +0200, Pierre Joye wrote: >> On Mon, Aug 22, 2011 at 3:52 PM, Solar Designer <so...@openwall.com> wrote: >> >> On Mon, Aug 22, 2011 at 3:05 PM, Pierre Joye <pierre....@gmail.com> wrote: >> >> > it seems that the changes break BC too, pls see >> >> > https://bugs.php.net/bug.php?id=55477 >> > >> > We may recommend to Christian to change $2a$ in existing hashes to $2x$ if >> > the goal is to preserve compatibility for all old passwords despite of >> > the security risk associated with doing so. The change as implemented >> > in PHP 5.3.7+ favors security and correctness over backwards compatibility, >> > but it also lets users (admins of PHP app installs) use the new $2x$ >> > prefix on existing hashes to preserve backwards compatibility for those >> > and incur the associated security risk until all such passwords are >> > changed (using $2a$ or $2y$ for newly changed passwords). >> > >> > No change to the PHP code is needed. >> >> Can you add this comment to the bug please? So every user reading it >> will be informed. That's also something we have to document better. > > I just did - I added a more verbose comment, though. I think you may > use this for documentation:
Added to http://php.net/security/crypt, and added a link from the release announcement and changelog. (should show up in an hour or two). -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
