Date: Sun, 7 May 2017 20:45:15 +0200 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, phpass-users@...ts.openwall.com Subject: [openwall-announce] phpass 0.5 Hi, phpass was released in 2005 when a typical web host ran PHP 4 and a typical web app used raw MD5. In 2007 and on major web apps moved to phpass, which was an important step forward, bringing web apps' password hashing on par with Unix systems'. phpass API might also have inspired the password_hash() / password_verify() API included in PHP 5.5+. At this time, if your new project can afford to require PHP 5.5+, which it should, please use PHP's native password_hash() / password_verify() API instead of phpass. If you have to support versions of PHP older than 5.5, if you need to keep support for phpass portable hashes in new revisions of your existing project, or/and if you need to support those hashes migrated from other web apps, then phpass is still useful for you, which is why we continue to keep its maintenance on life support. As part of said life support, I've just released phpass 0.5, available at the usual location: http://www.openwall.com/phpass/ The changes are as follows: - Dropped PHP 3 & 4 support in favor of PHP 7 friendliness (no deprecation warnings). Specifically: - Added the new-style constructor. - Just assume md5() supports a second argument, which it does since PHP 5. - Use the === and !== comparison operators. - While at it, dropped the fallback to CRYPT_EXT_DES (if there's no working CRYPT_BLOWFISH, fallback to the portable hashes right away). I made the latter change in part for simplicity (as this intermediate fallback was rarely triggered without a further fallback anyway), and in part to avoid further possibility of triggering an old Debian bug, which I had described under "another problem" in: http://www.openwall.com/lists/oss-security/2012/05/04/7 I'd like to thank the people reminding me to make a phpass update over the years, and in particular Walt Sorensen who pointed out the PHP 7 deprecation warning about the old constructor and proposed a workaround. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.