Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60880
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74930 invoked from network); 18 Jun 2012 16:54:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jun 2012 16:54:18 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.52 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.52 mail-qa0-f52.google.com  
Received: from [209.85.216.52] ([209.85.216.52:62415] helo=mail-qa0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 54/24-50426-93D5FDF4 for <internals@lists.php.net>; Mon, 18 Jun 2012 12:54:18 -0400
Received: by qabj34 with SMTP id j34so5659896qab.18
        for <internals@lists.php.net>; Mon, 18 Jun 2012 09:54:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=SZxl16RCgvSJcrZ/CL+gS24xBBQQXa/Hn4lYyYKCVCE=;
        b=w2PrDhZEbgkY0IWBmWZuYOyy4BCkzsBzxfvvpr1zoAsxGyDvEhEOzN1wYCMAYDSjjE
         GR73c4XyjYvQkbNtMsVWgnJ+3/BCIgp0NnsPLPbvaiKW4Cl9JkXml0SIN5XVWLGe2Wm9
         IoZVIXEVYJZEFq2Mwx2k19TXROmREeOMC8tHaBpnvL/9rDmcUMs+jfm12FumSaxCU63b
         JPpTlwVatu++5G+lpZdhhiBjXHeWQuzRFvWp3t2pw2lYRZ9INAqnthdeLNfYJInQjsvA
         iRUznPDuxK81LcQCrkNAW3aysMljWKj0mPZ1DDc7bY4snPChAIulXrb7URRwfKcOqZGe
         ujJQ==
MIME-Version: 1.0
Received: by 10.224.77.19 with SMTP id e19mr28433333qak.49.1340038454576; Mon,
 18 Jun 2012 09:54:14 -0700 (PDT)
Received: by 10.229.232.11 with HTTP; Mon, 18 Jun 2012 09:54:14 -0700 (PDT)
In-Reply-To: <CAEZPtU7scvZegC8udp2eM65hYGHX4F-B_109GPMrXETOBjpRWg@mail.gmail.com>
References: <CAF+90c-6VWJ_kBW=Z8Br-NOxKyuTkwStRg-OMBa6844w3=CjDA@mail.gmail.com>
	<8714BC2A-45E2-4303-9769-8399AF316159@gmail.com>
	<CAEZPtU6tXBgnTuGOfnjjFYyFJQ5iKpWX2Tq1U+wEaoyvBchW7A@mail.gmail.com>
	<3B162E01-67F6-4684-ACE7-40CAF73E9DC3@gmail.com>
	<CAEZPtU7scvZegC8udp2eM65hYGHX4F-B_109GPMrXETOBjpRWg@mail.gmail.com>
Date: Mon, 18 Jun 2012 12:54:14 -0400
Message-ID: <CAAyV7nEfoBKeCJe8pXZQJWi+MD7JrrOTjSV8RJpvq=mGYL5iGg@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Alexey Zakhlestin <indeyets@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing?
From: ircmaxell@gmail.com (Anthony Ferrara)

Pierre,

> There is sadly only state-of-art-right-now password hashing methods.
> We have to keep that in mind :)

That's why the crypt() return format was designed. All of the options
that are needed to validate the hash (algorithm, cost parameter, salt,
etc) are fit right into the outputted string.

I'd suggest that's what's done here. In fact, I'd make the functions
just a thin wrapper around crypt(). Basically, just where it sets sane
defaults that we can update every minor (or major) release (to
compensate for faster servers). It handles salt generation, error
checking, etc.

Here's what I have in mind in php: https://gist.github.com/2949382

Anthony