Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120998
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41746 invoked from network); 6 Sep 2023 19:25:12 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 6 Sep 2023 19:25:12 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E45771804AC
	for <internals@lists.php.net>; Wed,  6 Sep 2023 12:25:10 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  6 Sep 2023 12:25:09 -0700 (PDT)
Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3ab244e7113so129786b6e.3
        for <internals@lists.php.net>; Wed, 06 Sep 2023 12:25:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694028309; x=1694633109; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=JEgSI6H167Z/s2kQeoXWqgJ6K0s8lkdxFeZwv5QdtNA=;
        b=bwSb6QLHg5wmes8j/FtiBUroESXKMBF1cnlH0w3BHpkAIqSdTad69bTjZ+dlGa5Hce
         iTPmjqKIAbL3A7czfRMqjFkzWEmH6jWWUoXiOlbCUqhTCmK1LV8eVhXnYLoEF2YQnPhe
         19VfDocT33tB/0yCPMgovcoojx4b3Lyffglvg/1DLh7mXy7H0Oru79jXBEtsg6URgev1
         EivUAzBRR66MfMFLoVjrCSjF3Uwq49gm/mDHOa3HRn82H9PHfxa56qFSxI15yhFuSGTn
         LzA/awJZZNgU/Q1yF7HyBhFOyaS9CZS6gezIdgH83lC7qiTnoENYEeKjCzgn33Fm092f
         mNEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1694028309; x=1694633109;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JEgSI6H167Z/s2kQeoXWqgJ6K0s8lkdxFeZwv5QdtNA=;
        b=UIUyF6nb175cQnK4yGIeuu5Qvdp2D8qait95sL1yehs1vmZ2pVriUST5mSirYVYA3B
         2nybxSNIpOhQaeaXH5GNvzdpAM97xwK0EorqGXhOib3eudvBrlDC/RMQXRrmUcyptnJw
         ogE+4r/dfmGhfnO0oyFmWpGYUuu6gMYPCHgeQOif5h241XEXSkday/ksIfTHedyfZQXI
         uqOgB0K0qHzYMsba5oIoUHq4bqwJSZS3qGX3z3ZspDwUWbcBl19pTJwqlfuL3h/ekpbW
         XTgP3t90XvSNFiGZS6+UyURJuiFBwg6uRsjYRfCgosR0yXJOYrWd0bn62yleEO4nCpgB
         rL4w==
X-Gm-Message-State: AOJu0YwVgZOi4RErevKJzWcigo/Hywf9MANSqsQ+AMSa04xFdoKmx500
	dZN4r27VDbdOCTacSMBVLsNJHrdcPmYqDa1zOiE=
X-Google-Smtp-Source: AGHT+IF/qmy1Y1NREVNipJuYpHk9IpKkeSoQBoFJOMsjDINsJYhdgbtzUVCBypJFVXUjMSGeWB3LRSd1qgO0nEhUtgQ=
X-Received: by 2002:a05:6808:5d0:b0:3a7:4b9a:43ca with SMTP id
 d16-20020a05680805d000b003a74b9a43camr16863140oij.53.1694028308304; Wed, 06
 Sep 2023 12:25:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAEwRQKZK6zGh4UYPc60QZATjfiy32Jq-7TCuucN723JtrwpTHg@mail.gmail.com>
 <86811a7b-e5c7-0d00-7726-6502e8c34479@bastelstu.be>
In-Reply-To: <86811a7b-e5c7-0d00-7726-6502e8c34479@bastelstu.be>
Date: Wed, 6 Sep 2023 21:24:55 +0200
Message-ID: <CAJmy8YECZJN6K0t-rfw1EjMiRvRNEvWkhC7Af92rjsey2xPr2g@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Vinicius Dias <carlosv775@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000008e57540604b5b3f9"
Subject: Re: [PHP-DEV] PASSWORD_DEFAULT value
From: divinity76@gmail.com (Hans Henrik Bergan)

--0000000000008e57540604b5b3f9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Argon2 is opt-in, not opt-out, at compile-time, so then we would have to
agree on it being acceptable for PASSWORD_DEFAULT to have different values
depending on compile-time options, maybe thats completely fine, or maybe it
isn't, idk.

But as Dusterhus points out, Argon2 is inferior to bcrypt anyway, according
to people much smarter than myself.

Oh and Argon2 has been around since 2015 and multiple vulnerabilities have
been discovered, speeding up brute force/dictionary attacks. Can't say the
same for bcrypt

On Wed, Sep 6, 2023, 18:52 Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:

> Hi
>
> On 9/6/23 18:08, Vinicius Dias wrote:
> > I was wondering here... Is there any reason for `PASSWORD_DEFAULT`'s
> > value not to be `PASSWORD_ARGON2ID`?
> >
>
> To the best of my knowledge Argon2 is not available in a "default"
> installation of PHP without including any external dependencies.
>
> Also Argon2 for settings that are reasonable for interactive
> authentication is worse than BCrypt according to:
>
> https://twitter.com/TerahashCorp/status/1155119064248913920
> and
> https://twitter.com/TerahashCorp/status/1155129705034653698
>
> Best regards
> Tim D=C3=BCsterhus
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--0000000000008e57540604b5b3f9--