From:  pear-qa@lists.php.net ("maddes+pear@maddes.net")
Date:  09 Aug 2016 03:42:48 Hong Kong Time
Newsgroup:  news.php.net/php.pear.bugs
Subject:  

[PEAR-BUG] Bug #21099 [Com]: [patch] bcrypt hashing for Apache

NNTP-Posting-Host:  null

Edit report at https://pear.php.net/bugs/bug.php?id=21099&edit=1

 ID:               21099
 Comment by:       maddes+pear@maddes.net
 Reported By:      maddes+pear at maddes dot net
 Summary:          [patch] bcrypt hashing for Apache
 Status:           Open
 Type:             Bug
 Package:          File_Passwd
 Operating System: Debian 8 Jessie
 Package Version:  1.1.7
 PHP Version:      5.6.23
 Roadmap Versions: 
 New Comment:

The patch also...

...determines the password type from the prefix/salt in function
verifyPasswd. This is necessary to verify a password which is not
encrypted with the current encryption mode.
Example_ you ask your users to change their passwords to convert them
from SHA/MD5 to BCRYPT.

...use MD5 as default in Authbasic.php, as SHA is insecure and DES is
not available on Windows.


Previous Comments:
------------------------------------------------------------------------

[2016-08-08 15:29:00] maddes

Added #patch
bug:21099;patch:File_Passwd-add-bcrypt-support;revision:1470684540;.

------------------------------------------------------------------------

[2016-07-24 20:20:29] maddes

Added #patch
bug:21099;patch:File_Passwd-add-bcrypt-support;revision:1469406029;.

------------------------------------------------------------------------

[2016-07-24 20:15:19] maddes

Description:
------------
File/Passwd[.php|/AuthBasic.php] does not support the recommended bcrypt
hashing ($2y$nn$) for passwords in .htpasswd files.
Blowfish $2y$ for bcrypt is supported by PHP since 5.3.7 (see changelog
at http://php.net/manual/en/function.crypt.php)

A patch is attached that adds this functionality.

------------------------------------------------------------------------


-- 
Edit this bug report at https://pear.php.net/bugs/bug.php?id=21099&edit=1