Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120999
Return-Path: <carlosv775@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43579 invoked from network); 6 Sep 2023 19:33:27 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 6 Sep 2023 19:33:27 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id CC8A21804F5
	for <internals@lists.php.net>; Wed,  6 Sep 2023 12:33:26 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <carlosv775@gmail.com>
Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com [209.85.167.169])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  6 Sep 2023 12:33:26 -0700 (PDT)
Received: by mail-oi1-f169.google.com with SMTP id 5614622812f47-3aa1254fb45so127297b6e.2
        for <internals@lists.php.net>; Wed, 06 Sep 2023 12:33:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1694028805; x=1694633605; darn=lists.php.net;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=twPsECO/eb4gy4dUjQeDPJsozJ9+dQc0oVrJBghfeGw=;
        b=p+QrbmviZRzPbWlrFOydQMYefHNaZuDz9GBn2pT2OC4t9yvJ6Dbt6/vCjM++B3piz8
         stxdwYbF1VfQkyln06bfsaoh7TfINROrWGgM9z4Keqix5ghv/0gijE1WfeB+I5dKAsEF
         xmAuCVRRbUMcfcC52QDI2HkXuKCrjYai8BT4jkrYGlnKfIxvXNijEiysvYyhZJGAxG/s
         VncnxBVy/HVmk+4VVwg1qVtYbfaEQfmhT+9d+TPhFqcEj0zxFEAU+JKcRKloCpDAPd+v
         5cL0P+906xfDO3N+8n+1t6cqxZsb1g5KAy2AQVW1/GJrobXr3/OQAsktRKG3vXtZrjBA
         RvGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1694028805; x=1694633605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=twPsECO/eb4gy4dUjQeDPJsozJ9+dQc0oVrJBghfeGw=;
        b=F9z1vPtij0opsM+C/ck2yxXfdcMHXNo6teqFMRCAZ/si6VIKVRL9PM79nJ7iwNyI02
         r88Jl3pGEGbDu19SddYxdD+xIBoTAX6flJGCZeE6DJfL15MIZPCl2LchbELQ26ZEADsF
         Uv1e9v1fgaJk29qrxkNvAKGvLkx+//RJPMpcHNh/Am3IIxxtBqX3z0cEpcnvK3s/c1Kz
         5YE3pmFwncO1jNXV1S5360gjTfQGINc0HbmBlqLGD4x/ftkqg8yoNX4v1TZmlbJOPYco
         YfDZAxOStX90Hs/5lLju3KwrWANbQOkB+EyOuFyluDrZXgXaOXpXOeN6Ju8DpVRJaFni
         Cm4Q==
X-Gm-Message-State: AOJu0YxJjoZc6asLllx9tdm65bLmBtaQgvvEXxalE/1wTPSfYk6wufU8
	oSKGlTEVXTAaI5GSLk3C+jjMFNiXrYTWGRwv9I8=
X-Google-Smtp-Source: AGHT+IHvMdhj6gGr+hxM/WjFTJoJFOKSVgncs6dICYEKOYatWZKyLjoUbXMTfS74CHggq5D3kJHeI8S3nMgO1zXNnFA=
X-Received: by 2002:a05:6808:10cc:b0:3a4:6a:6363 with SMTP id
 s12-20020a05680810cc00b003a4006a6363mr22249187ois.14.1694028805501; Wed, 06
 Sep 2023 12:33:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAEwRQKZK6zGh4UYPc60QZATjfiy32Jq-7TCuucN723JtrwpTHg@mail.gmail.com>
 <86811a7b-e5c7-0d00-7726-6502e8c34479@bastelstu.be> <CAJmy8YECZJN6K0t-rfw1EjMiRvRNEvWkhC7Af92rjsey2xPr2g@mail.gmail.com>
In-Reply-To: <CAJmy8YECZJN6K0t-rfw1EjMiRvRNEvWkhC7Af92rjsey2xPr2g@mail.gmail.com>
Date: Wed, 6 Sep 2023 16:33:14 -0300
Message-ID: <CAEwRQKb0Vuj46sdTLKq7d5_gvDokzHVeDTh1hPMaojPe5pkapg@mail.gmail.com>
To: Hans Henrik Bergan <divinity76@gmail.com>
Cc: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] PASSWORD_DEFAULT value
From: carlosv775@gmail.com (Vinicius Dias)

This is very interesting. It's the first time I see recommendations
pro Bcrypt and against Argon2. Even Owasp recommends Argon2 over
Bcrypt [1].

I am not a cryptography expert so I believe that if there is a
discussion of which one is better PHP shouldn't change things for now,
so that totally answers the question of why the default is still
bcrypt.

Thank you both for replying.

[1] https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_S=
heet.html



Vinicius Dias,
Zend Certified Engineer,
iMasters PHP Certified Professional




Em qua., 6 de set. de 2023 =C3=A0s 16:25, Hans Henrik Bergan
<divinity76@gmail.com> escreveu:
>
> Argon2 is opt-in, not opt-out, at compile-time, so then we would have to =
agree on it being acceptable for PASSWORD_DEFAULT to have different values =
depending on compile-time options, maybe thats completely fine, or maybe it=
 isn't, idk.
>
> But as Dusterhus points out, Argon2 is inferior to bcrypt anyway, accordi=
ng to people much smarter than myself.
>
> Oh and Argon2 has been around since 2015 and multiple vulnerabilities hav=
e been discovered, speeding up brute force/dictionary attacks. Can't say th=
e same for bcrypt
>
> On Wed, Sep 6, 2023, 18:52 Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:
>>
>> Hi
>>
>> On 9/6/23 18:08, Vinicius Dias wrote:
>> > I was wondering here... Is there any reason for `PASSWORD_DEFAULT`'s
>> > value not to be `PASSWORD_ARGON2ID`?
>> >
>>
>> To the best of my knowledge Argon2 is not available in a "default"
>> installation of PHP without including any external dependencies.
>>
>> Also Argon2 for settings that are reasonable for interactive
>> authentication is worse than BCrypt according to:
>>
>> https://twitter.com/TerahashCorp/status/1155119064248913920
>> and
>> https://twitter.com/TerahashCorp/status/1155129705034653698
>>
>> Best regards
>> Tim D=C3=BCsterhus
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: https://www.php.net/unsub.php
>>