Yasuo, Hi all, > > A user requested that crypt() should raise error without 2nd(slat) > parameter. > > https://bugs.php.net/bug.php?id=55036 > > crypt() without salt generates extremely weak password hash. In addition to > this, > PHP 5.5 has password_hash() > > This change should be applied from 5.5, IMHO. > > Any comments? > > -- > Yasuo Ohgaki > yohg...@ohgaki.net >
Well, first off, a BC break like this should never go into a current release. So I'd support for master / NEXT only anyway. I did some digging, and it appears that the python module also does similar behavior (allowing a null salt). But their behavior is to generate a strong salt for the strongest algorithm available. So their behavior is actually useful. The other implementations that I've looked at would all error or simply ignore the fact that the salt was empty (as a valid DES salt). So, keeping with standard practices, I think we should E_DEPRECATE the usage with only 1 parameter (no salt), and then in NEXT.NEXT change the zend_parse_parameters definition to require 2 parameters... My $0.02...
