Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52283

Deprecation of Salt Option for password_hash() in PHP7

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.9.3, 3.0
    • 2.9.4, 3.0.1
    • General

    Description

      See https://github.com/tpunt/PHP7-Reference#deprecation-of-salt-option-for-password_hash

      With the introduction of the new password hashing API in PHP 5.5, many began implementing it and generating their own salts. Unfortunately, many of these salts were generated from cryptographically insecure functions like mt_rand(), making the salt far weaker than what would have been generated by default. (Yes, a salt is always used when hashing passwords with this new API!) The option to generate salts have therefore been deprecated to prevent developers from creating insecure salts.

      Attachments

        Activity

          People

            tlevi Tony Levi
            marina Marina Glancy
            Marina Glancy Marina Glancy
            Dan Poltawski Dan Poltawski
            Adrian Greeve Adrian Greeve
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              21/Dec/15