On 22 October 2013 02:58, Andrea Faulds <
[email protected]> wrote:
On 22/10/2013 07:10, Yasuo Ohgaki wrote:
Any comments patch for this RFC?
Better E_NOTICE message is welcome.
I'm a native English speaker, how about "Calling crypt() without giving a
salt will not produce strong password hashes."?
It doesn't necessarily say you will produce a strong hash with it (other
factors are at play), but it does say that you can't without it.
Perhaps "secure" might be better than "strong".
I think I'd prefer the wording to be a little stronger, since this is
going to be shown when the user has actually done that. How about:
"Generating an insecure weak hash as no salt was given: please ensure
the salt parameter is specified and uses a strong hash type in order
to generate a cryptographically secure hash"
On the bright side, at least php_error_docref() will ensure there's a
link to the crypt() manual page in most setups. Rereading that, we may
actually want to be slightly more opinionated there about which hash
types are good and which are bad (it's not at all obvious that the DES
and MD5 types shouldn't generally be used).
Adam
+1 that's good too ...