Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60839
Return-Path: <kris.craig@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43943 invoked from network); 14 Jun 2012 18:42:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jun 2012 18:42:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=kris.craig@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=kris.craig@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.176 as permitted sender)
X-PHP-List-Original-Sender: kris.craig@gmail.com
X-Host-Fingerprint: 209.85.212.176 mail-wi0-f176.google.com  
Received: from [209.85.212.176] ([209.85.212.176:32916] helo=mail-wi0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1F/22-39100-2A03ADF4 for <internals@lists.php.net>; Thu, 14 Jun 2012 14:42:43 -0400
Received: by wibhn14 with SMTP id hn14so5692969wib.11
        for <internals@lists.php.net>; Thu, 14 Jun 2012 11:42:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=dRRKOAJf5pGS6q6QqkuUQDcyhPMi2vUIulQQqiEvbhs=;
        b=wQHV548AXOu4KfpEtXl/L570kS/MzNbVqb+xX3Z5qFmEeOadRHqE7Jtd2YMPclU23a
         uQfeasSVKYaPZ6FGG6DAJDD1QHrkkV8G89ubgjKd9B6ZY7FFt/pbUS32O/cSSe2T8Amx
         cS4w97sHnw1zLfX8CNWkCNyDwxk2XcdhzEXqlrogZA+504qukTg7kW5+R0PDR/Qe9rbt
         3gD0NRXQsqwX9pyDZOk/fNane1gm6g7rSu9VPTqNA4ywYCy7cakPb5EG8qULTPMuV5Dd
         u9TQhg3GgOrKmGZsj/n9Y7S+s2/hkT3jfeoza0U3/hVnwI+JperHOJ+YlQ8cFxJwLnE9
         0OMw==
MIME-Version: 1.0
Received: by 10.216.216.1 with SMTP id f1mr1671641wep.24.1339699360009; Thu,
 14 Jun 2012 11:42:40 -0700 (PDT)
Received: by 10.223.160.133 with HTTP; Thu, 14 Jun 2012 11:42:39 -0700 (PDT)
In-Reply-To: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
Date: Thu, 14 Jun 2012 11:42:39 -0700
Message-ID: <CAKOpQSzHLWhQxe9D2hjAo+O4AevoAEL4vFAhkoyxiZS8fvc3GA@mail.gmail.com>
To: Nikita Popov <nikita.ppv@googlemail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=0016e6d59e4b758fe704c2731017
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: kris.craig@gmail.com (Kris Craig)

--0016e6d59e4b758fe704c2731017
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Jun 13, 2012 at 2:31 PM, Nikita Popov <nikita.ppv@googlemail.com>wrote:

> Hi internals!
>
> Recent incidents have shown that even very large websites still don't
> get how to do password hashing properly. The sha1 hashes used by
> Linkedin et al can be easily cracked even by amateurs without special
> hardware.
>

LinkedIn was using sha1?!  Are you fucking serious??  I think it's time for
me to change my password there to something I'm *not* using anywhere else
lol.

At this rate, tomorrow are we going to learn that Gmail uses md5 and that
Facebook passwords are stored in plaintext files under the HTTP root?....


Anyway, BIG +1 on this RFC!

--Kris

--0016e6d59e4b758fe704c2731017--