We can also consider switching the default to Argon2id. As Scott says the NUL byte truncation is not a bug in PHP, but a bug in the algorithm. I don't know the exact specification but maybe we should leave the current implementation as is?
- [PHP-DEV] Binary (un)safety of password_hash() used with PAS... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of password_hash() used... Niklas Keller
- Re: [PHP-DEV] Binary (un)safety of password_hash() ... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of password_has... Kamil Tekiela
- Re: [PHP-DEV] Binary (un)safety of password... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of password_has... Niklas Keller
- Re: [PHP-DEV] Binary (un)safety of password... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of pas... Niklas Keller
- Re: [PHP-DEV] Binary (un)safety of... Kamil Tekiela
- Re: [PHP-DEV] Binary (un)safet... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of... Sara Golemon
- Re: [PHP-DEV] Binary (un)safety of password_hash() used... Nikita Popov
- Re: [PHP-DEV] Binary (un)safety of password_hash() used... Claude Pache
