Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60882 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83491 invoked from network); 18 Jun 2012 17:54:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jun 2012 17:54:13 -0000 Authentication-Results: pb1.pair.com header.from=e.zimuel@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=e.zimuel@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: e.zimuel@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:40056] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 10/A5-50426-34B6FDF4 for ; Mon, 18 Jun 2012 13:54:12 -0400 Received: by obfk16 with SMTP id k16so1166356obf.29 for ; Mon, 18 Jun 2012 10:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Z1NiEXaM+ggJuXE0PS/Srdpb5Ka9zEV9aNrD8kjOxgE=; b=0XDYgbdTZxi+OGE6J2/zDY6+4b6i/+XkrO7M0MVIOfpnSOwyHtiEffDI2kw0dEqrU2 g//oLedfSndRyUu5KwjP3bA51mdouuSNnmMPLksDGl3DoYFOctaTzIgSXEQ5O5oOnqvH I9Pt5va85vfxyH8XDeciKpp2p1RgFGwv2Q7kWqhiJzoUsetWlGta8J5+T1QF6FjUHug0 Tbp9si6J9ANdZGlfNajk5a7fYxRNv+c6ETcgZp7OgjW4g49I6yUB18Bv7QcoQw/5qnr7 Az2VDvPNiDdbkdbbjVkGa3YONjcf9YAk1vXbvMrjvy4ren6QGSPefLHnC8X4Ag7g1vU8 5Huw== MIME-Version: 1.0 Received: by 10.182.136.4 with SMTP id pw4mr16535451obb.28.1340042049519; Mon, 18 Jun 2012 10:54:09 -0700 (PDT) Received: by 10.76.8.103 with HTTP; Mon, 18 Jun 2012 10:54:09 -0700 (PDT) In-Reply-To: References: <8714BC2A-45E2-4303-9769-8399AF316159@gmail.com> <3B162E01-67F6-4684-ACE7-40CAF73E9DC3@gmail.com> Date: Mon, 18 Jun 2012 19:54:09 +0200 Message-ID: To: Anthony Ferrara Cc: PHP internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing? From: e.zimuel@gmail.com (Enrico Zimuel) 2012/6/18 Anthony Ferrara : > > That's why the crypt() return format was designed. All of the options > that are needed to validate the hash (algorithm, cost parameter, salt, > etc) are fit right into the outputted string. > > I'd suggest that's what's done here. In fact, I'd make the functions > just a thin wrapper around crypt(). Basically, just where it sets sane > defaults that we can update every minor (or major) release (to > compensate for faster servers). It handles salt generation, error > checking, etc. > > Here's what I have in mind in php: https://gist.github.com/2949382 > I like your idea to offer a wrapper of crypt() with a better API (actually I used this approach in the ZF2 project: https://github.com/zendframework/zf2/blob/master/library/Zend/Crypt/Password/Bcrypt.php). I think we should also support the user's salt as option and generate a random salt if not provided. For the random generation I suggest to use as first option the openssl_random_pseudo_bytes() that is considered more secure compared with mcrypt_create_iv($size, MCRYPT_DEV_URANDOM). I just wrote that changes here: https://gist.github.com/2949592 Regards, Enrico Zimuel