Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60877
Return-Path: <indeyets@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40487 invoked from network); 18 Jun 2012 09:06:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jun 2012 09:06:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=indeyets@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=indeyets@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: indeyets@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:41915] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5F/8E-49496-0AFEEDF4 for <internals@lists.php.net>; Mon, 18 Jun 2012 05:06:41 -0400
Received: by lbgc1 with SMTP id c1so4738313lbg.29
        for <internals@lists.php.net>; Mon, 18 Jun 2012 02:06:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=content-type:mime-version:subject:from:in-reply-to:date
         :content-transfer-encoding:message-id:references:to:x-mailer;
        bh=DmT2KK6dvw2j9he+nDaXFfo2DY1/5MAX0S7K9g7zR4U=;
        b=NN8DNE65SznfV7Z0BCoU/jNUFn6IoST5+eX1ZTkCNF5kfg4iz8i2OVNF+bZGxFUT1P
         PHKxaWv2YcUF9Glgb54mJKyl4bWqDH6XpQH2YbBwC4e0PiB7GfEji5HAM5OeQWo6uPZ8
         sCoIlt2URE4en0NlWdLRwHgJ3KXSaTk8bUaRSzhcNXXO3mCkuDVMDgfkqApJ0GVcKThd
         bzJ4mgHIWmEQTK5Ro/qQwyrovuFMRA9L5Ldoc8QBSo+fKnB0mlDCwZIf7T2fIEorwQpV
         XRCcLg31UgT8OJYOrUIPu6KPPqYf4fv1Uda4GTTA48wfwTgB1NL6e1SVbbzD+oXZuzLq
         ne+Q==
Received: by 10.112.82.165 with SMTP id j5mr6215278lby.50.1340010397860;
        Mon, 18 Jun 2012 02:06:37 -0700 (PDT)
Received: from [10.0.1.7] ([93.185.190.227])
        by mx.google.com with ESMTPS id n7sm10998017lbk.10.2012.06.18.02.06.35
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 18 Jun 2012 02:06:36 -0700 (PDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Apple Message framework v1278)
In-Reply-To: <CAEZPtU6tXBgnTuGOfnjjFYyFJQ5iKpWX2Tq1U+wEaoyvBchW7A@mail.gmail.com>
Date: Mon, 18 Jun 2012 13:06:33 +0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <3B162E01-67F6-4684-ACE7-40CAF73E9DC3@gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com> <8714BC2A-45E2-4303-9769-8399AF316159@gmail.com> <CAEZPtU6tXBgnTuGOfnjjFYyFJQ5iKpWX2Tq1U+wEaoyvBchW7A@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
X-Mailer: Apple Mail (2.1278)
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: indeyets@gmail.com (Alexey Zakhlestin)


On 18.06.2012, at 1:54, Pierre Joye wrote:

>> I guess SCrypt binding could be implemented.
>> http://www.tarsnap.com/scrypt.html
>=20
> Using yet another dependency for that? Not good.

That's easier and safer than implementing this on our own.

>=20
>> That's the best available option at the moment.
>> =
http://stackoverflow.com/questions/1226513/whats-the-advantage-of-scrypt-o=
ver-bcrypt
>=20
> This post says the exact opposite, just saying :)

The post says, that SCrypt is better, because it is way harder to solve.
Bcrypt requires a lot of CPU, but SCrypt requires a lot of CPU + a lot =
of RAM

>> It is BSD-licensed, so we can easily bundle it with PHP
>=20
> Maybe nice to have in pecl.'

Sure, that's an option, but pecl won't help php to have default =
"state-of-art" password hashing toolset ;)