On Mon, Aug 22, 2011 at 03:19:53PM +0200, Ferenc Kovacs wrote: > we expected this imo. > http://www.mail-archive.com/internals@lists.php.net/msg51683.html > http://www.mail-archive.com/internals@lists.php.net/msg51687.html
Definitely. > On Mon, Aug 22, 2011 at 3:05 PM, Pierre Joye <pierre....@gmail.com> wrote: > > it seems that the changes break BC too, pls see > > https://bugs.php.net/bug.php?id=55477 We may recommend to Christian to change $2a$ in existing hashes to $2x$ if the goal is to preserve compatibility for all old passwords despite of the security risk associated with doing so. The change as implemented in PHP 5.3.7+ favors security and correctness over backwards compatibility, but it also lets users (admins of PHP app installs) use the new $2x$ prefix on existing hashes to preserve backwards compatibility for those and incur the associated security risk until all such passwords are changed (using $2a$ or $2y$ for newly changed passwords). No change to the PHP code is needed. BTW, this is not the right thread to discuss this on (the "bug" has nothing to do with CRYPT_SHA256). Alexander -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
