Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60860
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66344 invoked from network); 16 Jun 2012 13:39:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jun 2012 13:39:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gg0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:42860] helo=mail-gg0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/15-27230-99C8CDF4 for <internals@lists.php.net>; Sat, 16 Jun 2012 09:39:38 -0400
Received: by ggnf2 with SMTP id f2so3380583ggn.29
        for <internals@lists.php.net>; Sat, 16 Jun 2012 06:39:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=HHRzD5b/e+bLoYZPADUXFXKJZdjBiSOtbIiuFGfX0C0=;
        b=NQh+C0p2NSw5eaKJPZEoJ6SLF8uj2vcITYqlvLEwGks4rSbeBuMl8GtSLZCh2tbze7
         jpjKUTkWzz7KBf/vJhCwnkS3AOUjOQHaag8Ee5Kc/SkaWZ7K191gpTbuD4XzHJg+591X
         S//HHANs4lDBrmpSCIHVr521JFLW+X9wIQ3wkO7KO89hzfL7Uh08QaSSZHUlqi9mtBY1
         Q99FXr4rcXHcP9pvsYUrtYJa8utt0H6VhZ84Bf7cu9PlCbme7MqZzKe4RHobFxPH/7Jy
         V2zKcgEYYxx0pylI33zedKp8qojDRXsgEKYHdvG/FKWxnJABaV9ihEcpkFFEXMUdHGAo
         3h1g==
MIME-Version: 1.0
Received: by 10.100.82.16 with SMTP id f16mr3734339anb.18.1339853975166; Sat,
 16 Jun 2012 06:39:35 -0700 (PDT)
Received: by 10.147.113.7 with HTTP; Sat, 16 Jun 2012 06:39:35 -0700 (PDT)
In-Reply-To: <CAAyV7nEKuta7rFx2ZAQQyD6JMA6z2G3UGF-ETmPbcs73vy74GQ@mail.gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
	<CAKOpQSzHLWhQxe9D2hjAo+O4AevoAEL4vFAhkoyxiZS8fvc3GA@mail.gmail.com>
	<CAAUB37CP1pCKCAvvQ56EkeT_0VdjpXwd_=FnQct+9XZTou0_GA@mail.gmail.com>
	<CAAyV7nEKuta7rFx2ZAQQyD6JMA6z2G3UGF-ETmPbcs73vy74GQ@mail.gmail.com>
Date: Sat, 16 Jun 2012 15:39:35 +0200
Message-ID: <CAEZPtU7pH1mW-_sF1pPw=-8zYG-cFEd8XQk7N4KnWFNuKF3jAQ@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>, Solar Designer <solar@openwall.com>
Cc: Herman Radtke <hermanradtke@gmail.com>, Nikita Popov <nikita.ppv@googlemail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: pierre.php@gmail.com (Pierre Joye)

hi Anthony,

Adding Alex to the loop as his insight will be unvaluable in this thread.

On Sat, Jun 16, 2012 at 2:41 PM, Anthony Ferrara <ircmaxell@gmail.com> wrote:

>> This userland library already solves all the issues you outlined with
>> bcrypt: http://www.openwall.com/phpass/
>
> That library is not without its issues. For example, if you ask for a
> portable hash, it gives you a custom algorithm instead of bcrypt.
> That's because the library is php4 compatible. So for modern versions
> of PHP (5.3+), it produces an unnecessarily weak hash.

Because it was exciting before.

However the point here is not the implementation but the APIs.

To be honest I am not a big fan of providing such an API in the core
as no matter the default implementation, it will become obsolete soon
or later. And changing the default brings its lot of issues and BC
problems.

That being said, it seems that we may not have the choice anyway so
having a well designed and implemented API for password (and related
or similar areas) generations may be a good thing.


Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org