Comments (7)
It will (by design) validate any crypt(3) format EXCEPT CRYPT_STD_DES
(which is 13 characters). So if the passed in hash to password_verify
is less than 13 characters, validation will ALWAYS fail. But if it's more than 13 characters, and it's a valid crypt() representation (using crypt-md5 for example) of that password, it will succeed.
There should be no danger feeding in an empty hash string...
from password_compat.
FYI native password_verify() does not reject DES hashes: https://3v4l.org/hKl4X
from password_compat.
It DOES ignore them though on 7.0+.
from password_compat.
3v4l snippet posted above shows opposite. Do you think they use patched php build that specifically enables this behavior?
from password_compat.
Don't know. I might be wrong though. ;)
from password_compat.
7.0.1 and 7.0.0 accept them:
❯ vendor/bin/phpunit test/Unit/PasswordVerifyTest.php --testdox password_compat/git/accept_des_hashes
PHPUnit 4.8.21 by Sebastian Bergmann and contributors.
Runtime: PHP 7.0.1 with Xdebug 2.4.0RC4-dev
Configuration: /home/weirdan/src/password_compat/phpunit.xml.dist
Warning: Deprecated configuration setting "strict" used
PasswordVerify
[...snip...]
[x] Des hashes are accepted
❯ vendor/bin/phpunit test/Unit/PasswordVerifyTest.php --testdox password_compat/git/accept_des_hashes
PHPUnit 4.8.21 by Sebastian Bergmann and contributors.
Runtime: PHP 7.0.0 with Xdebug 2.4.0RC4-dev
Configuration: /home/weirdan/src/password_compat/phpunit.xml.dist
Warning: Deprecated configuration setting "strict" used
PasswordVerify
[...snip...]
[x] Des hashes are accepted
from password_compat.
I'm wrong then. ;)
from password_compat.
Related Issues (20)
- password_verify fails for hashes from crypt() HOT 3
- mysqli_real_escape_string
- PASSWORD_ARGON2I Algo Support HOT 1
- Password verify issues HOT 1
- php7 Compatibility problem HOT 5
- PHPCompatibility ruleset for password_compat
- Trouble with PHP 5.6 & Password Verify HOT 1
- A HOT 1
- A
- Function not outputting the same hash as built-in function HOT 8
- Bcrypt issue HOT 1
- function_exists('PasswordCompat\\binary\\_strlen') needed? HOT 4
- password_hash("foo") returning false on 5.3.2-1ubuntu4.30 HOT 7
- Cannot verify the password after hashing HOT 1
- Suggestion: use *.phpt tests from php-src to improve compatibility
- Problem with verifiying the hashed password HOT 3
- Using the project on a newer version of PHP HOT 2
- This Repo HOT 7
- use password_compact in codeigniter HOT 2
- This lib on php 5.5 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password_compat.