Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60906
Return-Path: <jbondc@openmv.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65359 invoked from network); 20 Jun 2012 15:00:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jun 2012 15:00:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=jbondc@openmv.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=jbondc@openmv.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain openmv.com from 64.15.152.204 cause and error)
X-PHP-List-Original-Sender: jbondc@openmv.com
X-Host-Fingerprint: 64.15.152.204 mail.ca.gdesolutions.com  
Received: from [64.15.152.204] ([64.15.152.204:54350] helo=mail.ca.gdesolutions.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/F6-25489-185E1EF4 for <internals@lists.php.net>; Wed, 20 Jun 2012 11:00:19 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail.ca.gdesolutions.com (Postfix) with ESMTP id 71B885D6C;
	Wed, 20 Jun 2012 11:00:09 -0400 (EDT)
X-Virus-Scanned: amavisd-new at gdesolutions.com
Received: from mail.ca.gdesolutions.com ([127.0.0.1])
	by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id z1dAjwNPF-tl; Wed, 20 Jun 2012 11:00:05 -0400 (EDT)
Received: from djbondc (modemcable166.116-70-69.static.videotron.ca [69.70.116.166])
	by mail.ca.gdesolutions.com (Postfix) with ESMTPSA id 646DE5D73;
	Wed, 20 Jun 2012 11:00:05 -0400 (EDT)
To: "'Anthony Ferrara'" <ircmaxell@gmail.com>,
	<internals@lists.php.net>
References: <CAAyV7nEw5uLC05dz+kqCrFtUJ9yOUeKvR6uZTGo8E6+TjYMoUA@mail.gmail.com>
In-Reply-To: <CAAyV7nEw5uLC05dz+kqCrFtUJ9yOUeKvR6uZTGo8E6+TjYMoUA@mail.gmail.com>
Date: Wed, 20 Jun 2012 11:00:04 -0400
Message-ID: <005701cd4ef5$606331c0$21299540$@com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac1NqCOOLhJ+A3w0QWiSeMrlDLkX/ABSvpIw
Content-Language: en-ca
Subject: RE: [PHP-DEV] [RFC] Add hash_pbkdf2 function
From: jbondc@openmv.com ("Jonathan Bond-Caron")

On Mon Jun 18 07:14 PM, Anthony Ferrara wrote:
> 
>  https://wiki.php.net/rfc/hash_pbkdf2
> 

I like this proposal, it could be useful to add a simpler api that has
defaults matching the NIST recommendation:
hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);

if the salt doesn't have at least 16 characters (128 bits), throw error

internally this calls:
hash_pbkdf2('sha1', $password, $salt, 1000);

My point being that:

$hash = hash_password('1234', 'my'. $password[1] .
'super-long-salt-secret');

Gives good enough security 80% of use cases and is simpler then:

$hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
'super-long-salt-secret', 1000); 

Developers will still use sha1 or md5 because they are so simple.