Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120996
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32460 invoked from network); 6 Sep 2023 16:52:31 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 6 Sep 2023 16:52:31 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 868EA1804F5
	for <internals@lists.php.net>; Wed,  6 Sep 2023 09:52:30 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  6 Sep 2023 09:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1694019148;
	bh=vy/IaHQxAlgIXu3WM5cwHmpp6x0FA+quIjLBE3M/mzE=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type:from:to:cc:subject:message-id;
	b=ceMhvTTK3MCTZL5UpMW1YmALEH1cEZTKFmxfvlGEryrmv9u2orSD043oGm6bw3OjI
	 eeYd/ePCwIv7mEx8prhP4kEUiPJFCvfAJ4nrUCt3IIw8kMXNBKAl6FN9XqWXMu8KsK
	 5G1f+WFsW7+fI/lQo1J3BctOSiMMgpGCWKvYEKK8frG35wA7uYNIBz89jZ6EkHqoc/
	 WYXRUTy+XfAL5vHDomuEOR5jwffvAGRREF4spDU8U5VsE1aPEQfV2VuybY3I3Kb6tR
	 HGpmuwq9Bm84hZwtVpkPX4UHjW4n+poBlxnYEF6E9hkd653cg6meYQBEJT54ULGsbp
	 a06goCh732Rog==
Message-ID: <86811a7b-e5c7-0d00-7726-6502e8c34479@bastelstu.be>
Date: Wed, 6 Sep 2023 18:52:26 +0200
MIME-Version: 1.0
To: Vinicius Dias <carlosv775@gmail.com>, internals@lists.php.net
References: <CAEwRQKZK6zGh4UYPc60QZATjfiy32Jq-7TCuucN723JtrwpTHg@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CAEwRQKZK6zGh4UYPc60QZATjfiy32Jq-7TCuucN723JtrwpTHg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] PASSWORD_DEFAULT value
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/6/23 18:08, Vinicius Dias wrote:
> I was wondering here... Is there any reason for `PASSWORD_DEFAULT`'s
> value not to be `PASSWORD_ARGON2ID`?
> 

To the best of my knowledge Argon2 is not available in a "default" 
installation of PHP without including any external dependencies.

Also Argon2 for settings that are reasonable for interactive 
authentication is worse than BCrypt according to:

https://twitter.com/TerahashCorp/status/1155119064248913920
and
https://twitter.com/TerahashCorp/status/1155129705034653698

Best regards
Tim Düsterhus