ircmaxell
commented
9 years ago What "spec" do you speak of?
Open lode opened 9 years ago
ircmaxell
commented
9 years ago What "spec" do you speak of?
lode
commented
9 years ago Here: http://www.akkadia.org/drepper/SHA-crypt.txt, as linked from http://php.net/manual/en/function.crypt.php. Also, an implementation for python mentions this https://pythonhosted.org/passlib/lib/passlib.hash.sha256_crypt.html.
ircmaxell
commented
9 years ago Ok, that's fair. It's just about tweaking the detection regex.
Just be aware, that 54 bits of entropy (9 characters of base64-encoded) is quite weak. I'd strongly suggest to move up from there (to the full 16, or better would be to go with bcrypt).
lode
commented
9 years ago Yeah, I'm aware of that :) This is a legacy database I'm reading and when users login they will get converted to using password_hash().
I have SHA-256 hashes with a salt of 9 characters. According to what I understand, the spec allows this. However, the library doesn't detect / verify hashes in this format.