lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2038716704.292037.1426612548230.JavaMail.open-xchange@oxuslxltgw11.lxa.perfora.net> Date: Tue, 17 Mar 2015 12:15:48 -0500 (CDT) From: Steve Thomas <steve@...tu.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] pre-hashed passwords? > On March 17, 2015 at 8:08 AM Jean-Philippe Aumasson > <jeanphilippe.aumasson@...il.com> wrote: > > (After reading this nice post about passwords including null bytes: > http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html) > > Has anyone already seen password hashes "pre-hashing" a password, to > handle length limitations? Things like > > password_hash(hash('sha256', $password, true), PASSWORD_DEFAULT) > > password_hash(hash_hmac('sha256', $password, $key, true), PASSWORD_DEFAULT) > I suggested it back in mid 2012 but had "hash('sha256', $pw)" for PHP's crypt(). It was part of an encrypted bcrypt hash library I made. Luckily I went with hex output. Probably because I knew about the problems with byte values >127 in some versions of bcrypt. Also I apparently never updated it... I'll do it tomorrow. P.S. PHP's crypt() also breaks with NUL characters.
Powered by blists - more mailing lists