On Jul 19, 2014 11:45 AM, "Yasuo Ohgaki" <[email protected]> wrote: > > Hi Nikita, > > On Sat, Jul 19, 2014 at 2:46 PM, Nikita Popov <[email protected]> wrote: > > > I'm against adding this notice to password_hash. This will require all > > applications to ensure that passwords are shorter than 72 chars. I don't > > think that's a good idea. > > > Generally speaking, it would not be serious issue. 72 bytes constant prefix > would > not be used most likely. > > However, bug like this in "authentication" code must be detected and > fixed. > If password should be truncated, it should be truncated by app developers > explicitly and > notified users that their password had been truncated. IMHO. > > Regards, > > -- > Yasuo Ohgaki > [email protected]
Hi, There's already a notice about this in the password_hash() docs, one that almost looks like is designed to scare users, which is bad. Throwing an E_NOTICE will cause more problems than it would supposedly solve. Application developers should just state this limitation on their registration/password change pages, anything else is pointless. Cheers, Andrey.
