Thanks for the suggestion. I think we'll have to use more than just digits
to make the salt more random, and indeed, we cannot rely on system devices.
Something like this may work:
function pmcrypt($pass, $salt=null) {
if(is_null($salt)) { # create hash
if(function_exists('password_hash')) # PHP 5.5+
return crypt($pass, password_hash(PASSWORD_DEFAULT));
else return crypt($pass);
}
else return crypt($pass, $salt);
}
This relies on PHP features. Before PHP 5.5 it uses the default random hash
creation internal to crypt(), like we use it now. Since PHP 5.5 it will use
the password_hash() function which should return a sufficiently random hash
compatible with the operating system.
Then we'll have to update the documentation about setting $DefaultPasswords
in config.php: instead of crypt(), use pmcrypt().
Does anyone see a better way to do it? Pm?
Thanks,
Petko
Chris Knadle writes:
On Saturday, February 15, 2014 20:58:28 Petko Yotov wrote:
> Hello.
>
> There was a known bug in some PHP versions when crypt() is used without a
> "salt" parameter, see http://www.pmwiki.org/wiki/PITS/01277 .
>
> This was a bug, but from PHP 5.6 on there will be a "feature", and using
> crypt() without a salt will raise E_NOTICE. See http://php.net/crypt .
>
> We are using crypt() without a salt to create hashes from passwords.
>
> Does anyone have a suggestion how to implement a random enough salt
> parameter?
One suggestion I've seen for this is taking a long section of the value of Pi
as a string, and using pieces of that as the salt. Perhaps taking a long
section as a string, and choosing a piece based on the local time?
[I'm only suggesting this because I'm making the assumption that a local
source of "good" randomness such as /dev/urandom is not available. However
from what I've read, what "good" randomness means even if this device exists
differs depending on the system in question.]
_______________________________________________
pmwiki-devel mailing list
pmwiki-devel@pmichaud.com
http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
