4

I'm reading phpass manual. At some point, it checks the result of the hashing like this:

$hash = $hasher->HashPassword($pass);
if (strlen($hash) < 20)
    fail('Failed to hash new password');

I understand that's the minimum lenght for a phpass hash, but I don't understand why would it fail. Is it even possible? I mean, who/what should I blame if it happens? How to prevent that? I also posted a comment about this in the web page.

For reference, you can find the code of PasswordHash::HashPassword() in this question: How can * be a safe hashed password?

Community
  • 1
  • 1
bigstones
  • 15,087
  • 7
  • 65
  • 82
  • A suggestion: The PHP developers are currently working on PHP 5.5. This will include dedicated functions for working with secure passwords. (See here: http://www.h-online.com/security/news/item/PHP-5-5-should-reduce-password-sloppiness-1707835.html). However, a version of this library is available to use in older PHP versions already. You can download it from here: https://github.com/ircmaxell/password_compat . It might be worth considering using it, since it will very shortly be the PHP standard. – Spudley Sep 20 '12 at 21:23
  • have you included the phpass class? – rsz Sep 20 '12 at 21:54
  • @rsz: well, actually I haven't started using it. I just wondered what should I tell the user when `HashPassword()` fails... like "no strange characters", and how to prevent such situations. @Spudley: I'm on php 5.2 :( – bigstones Sep 20 '12 at 21:59

1 Answers1

1

I noticed that some underlying libraries, such as 'crypt' don't fail gracefully when something is wrong, but just return a shorter string.

Maybe this is a symptom of this problem, and just an extra precaution.

Evert
  • 93,428
  • 18
  • 118
  • 189
  • This headed me to look for "fail" in [crypt() docs](http://php.net/manual/en/function.crypt.php) and get the answer I wanted. Problems would be invalid characters in salt, or other invalid parameters. So it really seems just an extra precaution. – bigstones Sep 20 '12 at 22:08