bencorlett
commented
11 years ago I said this exact thing ages ago so I agree fully. In Sentry, we check if the hashed password === false. If it does, we bitch out then, and then only.
Closed barryvdh closed 11 years ago
bencorlett
commented
11 years ago I said this exact thing ages ago so I agree fully. In Sentry, we check if the hashed password === false. If it does, we bitch out then, and then only.
taylorotwell
commented
11 years ago Yeah checking for false password would probably be better on our end. I'll make that change.
bencorlett
commented
11 years ago For reference https://github.com/cartalyst/sentry/blob/master/src/Cartalyst/Sentry/Hashing/NativeHasher.php#L31-L42
On 13/06/2013, at 12:50 PM, Taylor Otwell notifications@github.com wrote:
Yeah checking for false password would probably be better on our end. I'll make that change.
— Reply to this email directly or view it on GitHub.
Bcrypt hashing requires php 5.3.7, because of the needed support for $2y. But as described in https://github.com/ircmaxell/password_compat/issues/10, there are versions where this support is backported. The readme also states
This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides).When running on such a php version, I tried the version-test.php from the password_compat library, and it passes on the 5.3.3 Redhat version. But when using the Laravel Hashing functions, a
new \RuntimeException("Bcrypt hashing requires PHP 5.3.7");is thrown, because of the version check.Removing this check works fine and passwords are generated okay. Is is possible to remove the password check, or perhaps set a variable to overrule this check?
I can see why you would want to check by default, but a way to enable this without changing the vendor files would be appreciated.