From: ("")
Date:  09 Aug 2016 03:42:48 Hong Kong Time

[PEAR-BUG] Bug #21099 [Com]: [patch] bcrypt hashing for Apache

NNTP-Posting-Host:  null

Edit report at

 ID:               21099
 Comment by:
 Reported By:      maddes+pear at maddes dot net
 Summary:          [patch] bcrypt hashing for Apache
 Status:           Open
 Type:             Bug
 Package:          File_Passwd
 Operating System: Debian 8 Jessie
 Package Version:  1.1.7
 PHP Version:      5.6.23
 Roadmap Versions: 
 New Comment:

The patch also...

...determines the password type from the prefix/salt in function
verifyPasswd. This is necessary to verify a password which is not
encrypted with the current encryption mode.
Example_ you ask your users to change their passwords to convert them
from SHA/MD5 to BCRYPT.

...use MD5 as default in Authbasic.php, as SHA is insecure and DES is
not available on Windows.

Previous Comments:

[2016-08-08 15:29:00] maddes

Added #patch


[2016-07-24 20:20:29] maddes

Added #patch


[2016-07-24 20:15:19] maddes

File/Passwd[.php|/AuthBasic.php] does not support the recommended bcrypt
hashing ($2y$nn$) for passwords in .htpasswd files.
Blowfish $2y$ for bcrypt is supported by PHP since 5.3.7 (see changelog

A patch is attached that adds this functionality.


Edit this bug report at