News Feed
Jobs Feed
Sections




News Archive
Davey Shafik's Blog:
The Blowfish Debacle
by Chris Cornutt February 13, 2012 @ 10:02:49

Davey Shafik has a recent post to his blog about what he calls "The Blowfish Debacle" - the issues that came up with the PHP 5.3.7 release to upgrade the crypt_blowfish version that resulted in a larger error being introduced.

This was a great security fix, solving an issue with insecure passwords due to incorrect behavior. HOWEVER, what wasn't made clear, is that this change was actually a backwards compatibility break. If you upgraded to 5.3.7+ data hashed pre-5.3.7 would no longer match data hashed post-5.3.7; this means if you use it for passwords, it will no longer match. So what's the deal here?

He talks about the differences in the two methods of encryption, the newer being the "more correct" way of doing things. If you need the backwards compatibility because of previously hashed values, you can use the "$2x$" prefix instead of the usual "$2a$". He includes a snippet of code that can be used to upgrade all of your previously hashed blowfish passwords up to the new format.

0 comments voice your opinion now!
blowfish upgrade issue backwardscompatibility security fix


blog comments powered by Disqus

Similar Posts

DevShed: Authentication for Web Application Security

Ryan Malesevich's Blog: More Thoughts on Wordpress 2.1

Trevor Lowing\'s Blog: Cluesheet - Tips for PHP Developers

PHP Security Blog: A Trio of Javascript Issues

International PHP Magazine: Poll Question: What Makes a Good PHP Security Architecture?


 Community Events











Don't see your event here?
Let us know!

opinion release community phpunit testing introduction tool conference functional interview podcast language framework zendframework2 code example series application development unittest

All content copyright, 2013 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework