On 28.07.2011 12:53, Alex Nikitin wrote:
Just as a word of caution to everyone on this list, mcrypt version of
blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and
thus should not be used for hashing passwords even as backup. Basically if
you use a character such as say a British pound in your password, blowfish
with php will generate, a wrong hash and allow for some extensive
collisions. For example a hash for "ac" followed by a pound or euro or any
of those extended chars (that are present on European keyboards and such)
and a hash for just that char, would be the same! If you want I can show you
with some demo code. But until fixed, don't use blowfish with php on linux
at least, if you can.


Very interesting, thanks for the heads up.
So if you use the class change
  $this->hash_supported = 'sha256|sha512|blowfish|md5';
to
  $this->hash_supported = 'sha256|sha512|md5';
So blowfish can not be used.

Problem:
Using salt: Vi4mT5vCge5SWQRH7onIlo
hash this: ac€
$2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC
hash this: €
$2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC

hash this: ac£
$2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw.
hash this: £
$2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to