Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 7 May 2017 20:45:15 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, phpass-users@...ts.openwall.com
Subject: [openwall-announce] phpass 0.5

Hi,

phpass was released in 2005 when a typical web host ran PHP 4 and a
typical web app used raw MD5.  In 2007 and on major web apps moved to
phpass, which was an important step forward, bringing web apps' password
hashing on par with Unix systems'.  phpass API might also have inspired
the password_hash() / password_verify() API included in PHP 5.5+.

At this time, if your new project can afford to require PHP 5.5+, which
it should, please use PHP's native password_hash() / password_verify()
API instead of phpass.  If you have to support versions of PHP older
than 5.5, if you need to keep support for phpass portable hashes in new
revisions of your existing project, or/and if you need to support those
hashes migrated from other web apps, then phpass is still useful for
you, which is why we continue to keep its maintenance on life support.

As part of said life support, I've just released phpass 0.5, available
at the usual location:

http://www.openwall.com/phpass/

The changes are as follows:

- Dropped PHP 3 & 4 support in favor of PHP 7 friendliness (no deprecation
warnings).  Specifically:

  - Added the new-style constructor.

  - Just assume md5() supports a second argument, which it does since PHP 5.

  - Use the === and !== comparison operators.

- While at it, dropped the fallback to CRYPT_EXT_DES (if there's no working
CRYPT_BLOWFISH, fallback to the portable hashes right away).

I made the latter change in part for simplicity (as this intermediate
fallback was rarely triggered without a further fallback anyway), and in
part to avoid further possibility of triggering an old Debian bug, which
I had described under "another problem" in:

http://www.openwall.com/lists/oss-security/2012/05/04/7

I'd like to thank the people reminding me to make a phpass update over
the years, and in particular Walt Sorensen who pointed out the PHP 7
deprecation warning about the old constructor and proposed a workaround.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ