Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60859
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63224 invoked from network); 16 Jun 2012 12:41:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jun 2012 12:41:27 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.52 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.52 mail-qa0-f52.google.com  
Received: from [209.85.216.52] ([209.85.216.52:40848] helo=mail-qa0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9E/A4-27230-5FE7CDF4 for <internals@lists.php.net>; Sat, 16 Jun 2012 08:41:25 -0400
Received: by qabj34 with SMTP id j34so4223778qab.18
        for <internals@lists.php.net>; Sat, 16 Jun 2012 05:41:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=EZEu11mCpTkM0DYNCeP91EFjCDPOQE+OHcPGITpw3ZU=;
        b=Ag5bsBToXee6zcLFzMJEIWQctRD/SRo6wJbBn87LWXvbfYHt4WyPTuWEodrUjjFryN
         91RqRT5Az+yD2FAx808UFXzqU317j1q3vZjQLIvZJRf5OAbKqalCyuf0kHPqHTZYpYPj
         3BDYp3i0sLRT8bAOrlMjIEQ52SrKfxFa/nPgAehMT0CRvUGC4LoDHAFANqpGc46Hw94g
         4ZC55g6TprPJbXBU2vlBgA5PoAUTwOTuwaP6YUdsR43VLN1LwaAXh8TC3dOUMdo82N48
         bEfVPY6nUQcTVjtliskU1zEkosDw6c22dy2VcVT8WHVisFW65bcIdpniwdPll/CFPtpc
         Hc7g==
MIME-Version: 1.0
Received: by 10.224.184.1 with SMTP id ci1mr16764552qab.97.1339850482577; Sat,
 16 Jun 2012 05:41:22 -0700 (PDT)
Received: by 10.229.49.204 with HTTP; Sat, 16 Jun 2012 05:41:22 -0700 (PDT)
In-Reply-To: <CAAUB37CP1pCKCAvvQ56EkeT_0VdjpXwd_=FnQct+9XZTou0_GA@mail.gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
	<CAKOpQSzHLWhQxe9D2hjAo+O4AevoAEL4vFAhkoyxiZS8fvc3GA@mail.gmail.com>
	<CAAUB37CP1pCKCAvvQ56EkeT_0VdjpXwd_=FnQct+9XZTou0_GA@mail.gmail.com>
Date: Sat, 16 Jun 2012 08:41:22 -0400
Message-ID: <CAAyV7nEKuta7rFx2ZAQQyD6JMA6z2G3UGF-ETmPbcs73vy74GQ@mail.gmail.com>
To: Herman Radtke <hermanradtke@gmail.com>
Cc: Nikita Popov <nikita.ppv@googlemail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: ircmaxell@gmail.com (Anthony Ferrara)

Herman,

> This userland library already solves all the issues you outlined with
> bcrypt: http://www.openwall.com/phpass/

That library is not without its issues. For example, if you ask for a
portable hash, it gives you a custom algorithm instead of bcrypt.
That's because the library is php4 compatible. So for modern versions
of PHP (5.3+), it produces an unnecessarily weak hash.

In addition, the custom hash function that it uses is fairly weak. It
uses md5 as its primitive (because in php4 that's all that's
available), which while not the end of the world, could be improved.
It also does a simple feedback loop on hash the hash function for the
iterations. This is good, but could be better by using hash_hmac which
internally does two hash rounds per call, and feeding back more state
into the loop (Like PBKDF2 does).

It's not bad enough that if you're already using it you should go
running to replace it (not at all). But if you are starting a new
project, stick to bcrypt, PBKDF2, crypt_sha512, scrypt, etc...

If you want some background on it: http://drupal.org/node/1201444

The reason that I am bringing it up, is that if we're pulling it in
core, we should understand the limitations...

Anthony