Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170507184515.GA2527@openwall.com>
Date: Sun, 7 May 2017 20:45:15 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, phpass-users@...ts.openwall.com
Subject: [openwall-announce] phpass 0.5

Hi,

phpass was released in 2005 when a typical web host ran PHP 4 and a
typical web app used raw MD5.  In 2007 and on major web apps moved to
phpass, which was an important step forward, bringing web apps' password
hashing on par with Unix systems'.  phpass API might also have inspired
the password_hash() / password_verify() API included in PHP 5.5+.

At this time, if your new project can afford to require PHP 5.5+, which
it should, please use PHP's native password_hash() / password_verify()
API instead of phpass.  If you have to support versions of PHP older
than 5.5, if you need to keep support for phpass portable hashes in new
revisions of your existing project, or/and if you need to support those
hashes migrated from other web apps, then phpass is still useful for
you, which is why we continue to keep its maintenance on life support.

As part of said life support, I've just released phpass 0.5, available
at the usual location:

http://www.openwall.com/phpass/

The changes are as follows:

- Dropped PHP 3 & 4 support in favor of PHP 7 friendliness (no deprecation
warnings).  Specifically:

  - Added the new-style constructor.

  - Just assume md5() supports a second argument, which it does since PHP 5.

  - Use the === and !== comparison operators.

- While at it, dropped the fallback to CRYPT_EXT_DES (if there's no working
CRYPT_BLOWFISH, fallback to the portable hashes right away).

I made the latter change in part for simplicity (as this intermediate
fallback was rarely triggered without a further fallback anyway), and in
part to avoid further possibility of triggering an old Debian bug, which
I had described under "another problem" in:

http://www.openwall.com/lists/oss-security/2012/05/04/7

I'd like to thank the people reminding me to make a phpass update over
the years, and in particular Walt Sorensen who pointed out the PHP 7
deprecation warning about the old constructor and proposed a workaround.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.