Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60862
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74364 invoked from network); 16 Jun 2012 15:42:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jun 2012 15:42:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.176 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 209.85.212.176 mail-wi0-f176.google.com  
Received: from [209.85.212.176] ([209.85.212.176:61282] helo=mail-wi0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DC/56-27230-089ACDF4 for <internals@lists.php.net>; Sat, 16 Jun 2012 11:42:57 -0400
Received: by wibhn14 with SMTP id hn14so397686wib.11
        for <internals@lists.php.net>; Sat, 16 Jun 2012 08:42:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=qfEMJqOXlQRr2E1+kI6d2jbIpoa+HWCh/YW87rQlRlw=;
        b=TIBdZRirZFSkgZw9Nfv2sHOzgDTJKFr0A7BJGX2CiHjDEQ0Q+T0Bf1w9sEQ+heBciY
         N4xF/XF/zfUiO0o3VFdaABaDOlWTcYLEGMG1rFPDbdny4HBTZ4/fHBKQr1p7R7zlWXR7
         qZg8POcxzNg3UwYPIIHfj3iLM3gMaAzcnnxsfEp0UKl+76TpeID5vAIYVrFexDpCnBlF
         85LAbZz5EIjOkrVpVMxl0F3epfyHDEMfyo7/uMxPGwcHPjvaaPg4gnWuIz9i2vvqlsUm
         70PtmDF4D/+bKrmZzeEhu3NDOYYOOJzoLr5Q5IFda21HjI1LUXWNS/EZ/W5HeWXF89Kx
         t3oQ==
Received: by 10.216.214.155 with SMTP id c27mr5277928wep.116.1339861371983;
        Sat, 16 Jun 2012 08:42:51 -0700 (PDT)
Received: from [192.168.1.26] (104.Red-83-61-177.dynamicIP.rima-tde.net. [83.61.177.104])
        by mx.google.com with ESMTPS id eb8sm11536589wib.11.2012.06.16.08.42.50
        (version=SSLv3 cipher=OTHER);
        Sat, 16 Jun 2012 08:42:51 -0700 (PDT)
Message-ID: <4FDCA964.7020703@gmail.com>
Date: Sat, 16 Jun 2012 17:42:28 +0200
User-Agent: Thunderbird
MIME-Version: 1.0
To: Pierre Joye <pierre.php@gmail.com>
CC: Anthony Ferrara <ircmaxell@gmail.com>, 
 Solar Designer <solar@openwall.com>,
 Herman Radtke <hermanradtke@gmail.com>, 
 Nikita Popov <nikita.ppv@googlemail.com>,
 PHP internals <internals@lists.php.net>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com> <CAKOpQSzHLWhQxe9D2hjAo+O4AevoAEL4vFAhkoyxiZS8fvc3GA@mail.gmail.com> <CAAUB37CP1pCKCAvvQ56EkeT_0VdjpXwd_=FnQct+9XZTou0_GA@mail.gmail.com> <CAAyV7nEKuta7rFx2ZAQQyD6JMA6z2G3UGF-ETmPbcs73vy74GQ@mail.gmail.com> <CAEZPtU7pH1mW-_sF1pPw=-8zYG-cFEd8XQk7N4KnWFNuKF3jAQ@mail.gmail.com>
In-Reply-To: <CAEZPtU7pH1mW-_sF1pPw=-8zYG-cFEd8XQk7N4KnWFNuKF3jAQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=)

On 16/06/12 15:39, Pierre Joye wrote:
> However the point here is not the implementation but the APIs.
>
> To be honest I am not a big fan of providing such an API in the core
> as no matter the default implementation, it will become obsolete soon
> or later. And changing the default brings its lot of issues and BC
> problems.
>
> That being said, it seems that we may not have the choice anyway so
> having a well designed and implemented API for password (and related
> or similar areas) generations may be a good thing.
The generated password hash should contain versioning information (such
as the $1$ for crypt), so password_verify() of later PHP versions will
be able
to correctly verify it, even after the default password hash changes
(set an older
type in php.ini if you don't want to use the new format).