2
I am getting the error while trying to do the following test:
[
"salt" => "um salt grandão de responsa",
"cost" => 12,
]
password_hash (123456, PASSWORD_DEFAULT, $options);
Is returning:
Use of the 'salt' option to password_hash is deprecated
Why the option salt is considered obsolete?
5
Because the salt should be unique for each password, allow define a salt could cause you to define a salt constant.
For example:
password_hash('senha_legal', PASSWORD_DEFAULT, ['salt' => '1234567891234567891234']);
That way all passwords would use 1234567891234567891234, all the passwords would come out as follows:
$2y$10$123456789123456789123u2l31KVtAAQPjgDEYorAjG5V8p9MWDx2
$2y$10$123456789123456789123uOlCRXcGHP2s7.4hwA7pLsVlmqL3pmLq
$2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S
The use of salt makes a common password unusual, so if a user registers with the same password, using the same salt would result:
$2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S
No matter how many times you make one php -r "echo password_hash('senha_legal', PASSWORD_DEFAULT, ['salt' => '1234567891234567891234']);" the result will always be this, regardless of where, time or server.
An attacker will have the password of two users, because all users who use the password senha_legal will have the same result, in addition he may have the ability to generate multiple passwords using the same salt and thus check if the passwords match directly.
Examples used:
123 => $2y$10$123456789123456789123u2l31KVtAAQPjgDEYorAjG5V8p9MWDx2
teste => $2y$10$123456789123456789123uOlCRXcGHP2s7.4hwA7pLsVlmqL3pmLq
senha_legal => $2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S
What makes passwords different is salt applied to it, and how can realize the salt is present in the above code by the constant of 123456789123456789123, with the $10 indicating their difficulty.
Very good, very good. Sometimes I just find it boring PHP to take measures anti nephews programmers. I think everyone should take responsibility for their choices :p
@Wallacemaxters But this is good, it’s not just a measure 'anti-working', it’s a security improvement, one less concern for the programmer, to be able to focus on what really matters, in solving the problem in front of you without needing to worry about the same details always.
2
It is safer to use a random salt.
Now the function itself generates a random salt whenever it is called, before it was possible to prevent this by passing a less secure static salt.
Browser other questions tagged php php-7
You are not signed in. Login or sign up in order to post.
According to the most voted reply of that question It may even have been depreciated initially, but what matters to us is that it was deprecated :P
– Maniero
Basically why most of the PHP people have no idea what they are doing, and instead of using salt as they should, they damaged security using other fields or fixed value in place. If there are people who do absurd things like saving Base64 in DB, use
addslashesto sanitize Mysql, imagine the rest...– Bacco
@Bacco I always write "depreciated". "Deprecated" I find ugly as hell.
– Wallace Maxters
The most appropriate term is "Obsolete". Depreciated is more related to monetary values. And deprecated is a term used by the branch of law, where it refers to some judge who has received an order to perform a certain judicial service. On the subject, well, I believe that PHP is following the standards of the world health organization, which recommends lowering the salt (rsrs, joking aside). PHP abolished the Salt option because it believes it is more interesting to use the function’s internal salt generator.
– leoap