On Thu, Jul 17, 2014 at 10:25 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi Tjerk, > > On Thu, Jul 17, 2014 at 11:09 AM, Tjerk Meesters <tjerk.meest...@gmail.com > > wrote: > >> Why should `password_verify()` work on a hash that wasn't generated with >> `password_hash()`? The fact that it uses `crypt()` internally should not >> leak outside of its API, imho. > > > password_*() is designed as crypt() wrapper and this fact is documented > since it was released. > > Obsolete password hash is easy to verify with password_needs_rehash(). > Developers can check password database easily with password_needs_rehash(). > The documentation states that the `hash` argument to both `password_needs_rehash()` and `password_verify()` is: hash - A hash created by password_hash(). Passing a value from your own crypt() implementation may work, but that shouldn't be relied upon. I certainly wouldn't classify it as a problem that should be fixed in the password api. i.e. They don't have to parse password hash to detect obsolete hash. > > Therefore, using password_*() for crypt() generated passwords makes sense. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > -- -- Tjerk