Me again.

I was wondering if it would be possible to change Portable.php to accept the id string ($H$) as config option.
This would be much cleaner than the current if ($id != '$P$' && $id != '$H$') stuff and also allow to make things like isValid() work too.

Cheers, mano

The wikipedia article mentions the following:

Later research into human-selected password entropy using newly available real world data has demonstrated that the NIST scheme does not provide a valid metric for entropy estimation of human-selected passwords.

The linked blog post and research paper clarify this statement. NIST relies on the Shannon entropy model, which has been proven to incorrectly model real-world password entropy considering use by humans and real-life attack methods. Having this method as the default is therefore unwise and should be deprecated.

I'm not sure how the Wolfram Alpha calculation is constructed, so cannot say if it performs better, but from my personal tests it also has some weak spots. A method like Dropbox's zxcvbn algorithm seems to be a better match, although it hasn't been around long enough to be properly reviewed. Still it seems like a reasonable method that would be good to implement since it can be used in combination with the front-end javascript library. Something to consider though.

Wrong parameters for Exception([string $exception [, long $code [, Exception $previous = NULL]]])
https://github.com/rchouinard/phpass/blob/master/src/Phpass/Hash/Adapter/Base.php#L99

Comparing passwords using == or === is vulnerable to a remote timing attack.
http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/

Im getting the following issue

The requested package rych/phpass could not be found in any version, there may be a typo in the package name.

i used "rych/phpass": "2.1.0-dev"

The BCrypt adapter takes 16 bytes of random data and tries to create a salt using 64 possible characters (a period, a slash, 26 uppercase letters, 26 lowercase letters, and 10 numerics).

It does this by taking six bits of data from the 16 bytes provided to create a number between 0-63 to index into an array of salt characters. When there is no more data in a given byte, it takes the next 2 or 4 bits from the next byte, or begins a new byte entirely.

The problem is that only 16 bytes of data are being used to create a 22 character salt. 16 bytes only provides 128 bits of data. 22 six-bit indexes would take 132 bits to create.

The way PHPass creates the final salt character is to take the remaining two bits from the final byte, prep them to receive the next four bits from the next byte, which doesn't exist, and writes this as the final character.

This means that the rightmost four bits in the final byte will always be zeroes, creating only four possible character indexes, 0, 16, 32, and 48 (i.e. 000000, 100000, 010000, and 110000). These indexes correspond to the period character, uppercase O, lowercase E, and lowercase U.

One of these four characters will always be the last character in the BCrypt salt.

You can fix this by providing 17 bytes of data to the _encode64 method, and then taking trimming the output from that method to only use the first 22 characters provided. If you have a better way, then by all means please use that.

Hi there,

Just wondering if it would be possible to have Phpass.php in a namespace too? It seems weird to have all code nicely put into namespaces, but not the class you are bound to use?

PHPUnit output for 2.0.2 and 2.0.2-p1

PHPUnit 3.6.11 by Sebastian Bergmann.

Configuration read from /home/jay/phpass/rchouinard-phpass-2dc6e32/tests/phpunit.xml

.....F.................................

Time: 8 seconds, Memory: 5.75Mb

There was 1 failure:

1) Phpass\Hash\Adapter\ExtDesTest::adapterGeneratesSameHashGivenOriginalSaltAndPasswordString
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'_zzz1OacgfuRYUi4zYeQ'
+'_zPXZFl8kpcQw'

/home/jay/phpass/rchouinard-phpass-2dc6e32/tests/library/Phpass/Hash/Adapter/ExtDesTest.php:133

FAILURES!
Tests: 39, Assertions: 57, Failures: 1.

Generating code coverage report in HTML format ... done

I've run the tests several times. The expected hash is different every time, but the actual stays the same.

Configuration (two machines):

$ php --version
PHP 5.3.10-1ubuntu3.2 with Suhosin-Patch (cli) (built: Jun 13 2012 17:20:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.1.0, Copyright (c) 2002-2010, by Derick Rethans

$ php --version
PHP 5.4.4-2 (cli) (built: Jun 19 2012 07:38:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans

After updating to PEAR 1.10.0, channel-discover and channel-update for this channel give the following error:

pear channel-update rych
Updating channel "rych"
PHP Fatal error: Using $this when not in object context in /usr/share/php/PEAR/Downloader.php on line 1714
PHP Stack trace:
PHP 1. {main}() /usr/share/php/pearcmd.php:0
PHP 2. PEAR_Command_Common->run() /usr/share/php/pearcmd.php:316
PHP 3. PEAR_Command_Channels->doUpdate() /usr/share/php/PEAR/Command/Common.php:270
PHP 4. PEAR_Common->downloadHttp() /usr/share/php/PEAR/Command/Channels.php:546
PHP 5. PEAR_Downloader::_downloadHttp() /usr/share/php/PEAR/Common.php:833

works fine for all of my other channels