Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60895 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92621 invoked from network); 19 Jun 2012 22:27:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2012 22:27:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-wg0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:56731] helo=mail-wg0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2B/61-17328-9BCF0EF4 for ; Tue, 19 Jun 2012 18:27:05 -0400 Received: by wgbfg15 with SMTP id fg15so5371648wgb.11 for ; Tue, 19 Jun 2012 15:27:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=e98JgdBlzO2Ys8wY8YdTHxoVHd8tRLK7NN82oGeOIdM=; b=S2Pp5tpDdU4BH93W7mL8/Qv0ibeom6ylSY1AklitmSoOEh+YBQBRtCBSfUjkyk1Wmd EgQgA/zKVri3PPfHpJ1QRV4oHmRA1JuhoAuoAlKLqg8snPUycz//vmlS318lOaeKwLo6 ld23PimE0iX6V5eg9yEfA5Qez0C1eK7mXaB3Xk1f/qk0CZcCliSd+I7T2WkJ2xQYSLqx dEmfj9U2XQUCaSjP8VyZvUu4cUiEemHnpX+HRg6Ma3wH0WZR1zeUHEESBzvAHoSkeE0n UvKKyikzS7aTLFh7XysK03vmnjAtgiF+dg0/UzVvOZc8U0BGQANzWl6YR/fUAuB6T43o UPZA== Received: by 10.216.226.140 with SMTP id b12mr10813533weq.216.1340144821883; Tue, 19 Jun 2012 15:27:01 -0700 (PDT) Received: from [192.168.1.26] (12.Red-83-49-202.dynamicIP.rima-tde.net. [83.49.202.12]) by mx.google.com with ESMTPS id et10sm34922997wib.2.2012.06.19.15.26.59 (version=SSLv3 cipher=OTHER); Tue, 19 Jun 2012 15:27:01 -0700 (PDT) Message-ID: <4FE0FC9C.5070900@gmail.com> Date: Wed, 20 Jun 2012 00:26:36 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: Anthony Ferrara CC: Pierre Joye , Alexey Zakhlestin , PHP internals References: <8714BC2A-45E2-4303-9769-8399AF316159@gmail.com> <3B162E01-67F6-4684-ACE7-40CAF73E9DC3@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing? From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) On 18/06/12 18:54, Anthony Ferrara wrote: > Pierre, > >> There is sadly only state-of-art-right-now password hashing methods. >> We have to keep that in mind :) > That's why the crypt() return format was designed. All of the options > that are needed to validate the hash (algorithm, cost parameter, salt, > etc) are fit right into the outputted string. > > I'd suggest that's what's done here. In fact, I'd make the functions > just a thin wrapper around crypt(). Basically, just where it sets sane > defaults that we can update every minor (or major) release (to > compensate for faster servers). It handles salt generation, error > checking, etc. > > Here's what I have in mind in php: https://gist.github.com/2949382 I don't think the code is the most appropiate one, but I suppose that's not a final proposal. The interfaces look good to me. I'd maybe set the default $algo to PASSWORD_DEFAULT_HASH or similar, being a value bumped on each next revisions. I would consider preferable to have the $ ofpassword_register_algoprefix implicit. Regards