search

ircmaxell / password_compat

Compatibility with the password_* functions that ship with PHP 5.5
MIT License
2.15k stars 421 forks source link

Character ',' in salt make the encoding wrong #77

Closed saro0h closed 9 years ago

saro0h commented 9 years ago

Hi,

I'm doing the password encoding command in Symfony. Here is the output of travis here : https://travis-ci.org/symfony/symfony/builds/53964672

I can see that the encoding of the password is not the same as PHP is doing.

The salt used is : AZERTYUIOPOfghjklytrert,yuiolnbcxdfghjkytrfghjk. The coma is a problem as in your script you encode the the salt in base_64 if it does not match this regex => https://github.com/ircmaxell/password_compat/blob/master/lib/password.php#L98

I changed my test by removing this coma, but, I guess it's not okay that the lib doesn't work like PHP does.

Thank you in advance for your help

ircmaxell commented 9 years ago

Relying on specific encoding rules is dangerous and is not recommended.

saro0h commented 9 years ago

Can you explain me why please?

ircmaxell commented 9 years ago

The API is designed to store the salt in the return (which it does). Therefore, there's no legitimate reason to make encoding of the salt a documented and reliable process.

I'd even go so far as to say using custom salts is the problem (there's really no reason to not let it generate a salt for you). It's something I strongly wish I would have left out of the implementation (the ability to specify a custom salt).