On 28.07.2011 12:53, Alex Nikitin wrote:
Just as a word of caution to everyone on this list, mcrypt version of blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and thus should not be used for hashing passwords even as backup. Basically if you use a character such as say a British pound in your password, blowfish with php will generate, a wrong hash and allow for some extensive collisions. For example a hash for "ac" followed by a pound or euro or any of those extended chars (that are present on European keyboards and such) and a hash for just that char, would be the same! If you want I can show you with some demo code. But until fixed, don't use blowfish with php on linux at least, if you can.
Very interesting, thanks for the heads up. So if you use the class change $this->hash_supported = 'sha256|sha512|blowfish|md5'; to $this->hash_supported = 'sha256|sha512|md5'; So blowfish can not be used. Problem: Using salt: Vi4mT5vCge5SWQRH7onIlo hash this: ac€ $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: € $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: ac£ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. hash this: £ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
