Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60919
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52098 invoked from network); 21 Jun 2012 11:16:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Jun 2012 11:16:38 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.51 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.51 mail-qa0-f51.google.com  
Received: from [209.85.216.51] ([209.85.216.51:59249] helo=mail-qa0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CE/A1-42253-49203EF4 for <internals@lists.php.net>; Thu, 21 Jun 2012 07:16:37 -0400
Received: by qaea16 with SMTP id a16so1347080qae.10
        for <internals@lists.php.net>; Thu, 21 Jun 2012 04:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=J2HP1JjRMqzugORhAjmWOsl1Gc+dUVnFnJ7cZ9T2IQM=;
        b=gLeMeHi34ijWsh1BoU10DzDuN8urHNatHhvm4tdoFtYpS9M84mLUtx92T+SSiTmHlG
         S9r9FmF1Fw/i1D0AYLG0tNIpkKv/g+S7PjnKXFgtEW2VLiYr3923MXkA/NhkTKRxpMEy
         IGUVZ2+tBuqWlR6o6OWlOhUPzvUvs5/f5OufgMyUQQk5ZLHMKvnuVpOVjvMZbM1SG/46
         7DOVi9vk6xLDE0R4byet+wQEB6eR1412jF+VQSFytPHDrooxqCJ/YWSsexVBePta3a2C
         TjXQv6oWcccSCr/LIEj4PcFwpyfI1M2IxLE4cASQwiXslKfbBYkj3qVvI+p6XJfgGxPA
         +AZA==
MIME-Version: 1.0
Received: by 10.224.181.16 with SMTP id bw16mr47287094qab.18.1340277393472;
 Thu, 21 Jun 2012 04:16:33 -0700 (PDT)
Received: by 10.229.232.11 with HTTP; Thu, 21 Jun 2012 04:16:33 -0700 (PDT)
In-Reply-To: <005701cd4ef5$606331c0$21299540$@com>
References: <CAAyV7nEw5uLC05dz+kqCrFtUJ9yOUeKvR6uZTGo8E6+TjYMoUA@mail.gmail.com>
	<005701cd4ef5$606331c0$21299540$@com>
Date: Thu, 21 Jun 2012 07:16:33 -0400
Message-ID: <CAAyV7nF2ifS7BZfzNsBQ=Q-OrTuD6VfUn8P2gvmL9s8evWoOfw@mail.gmail.com>
To: Jonathan Bond-Caron <jbondc@openmv.com>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] [RFC] Add hash_pbkdf2 function
From: ircmaxell@gmail.com (Anthony Ferrara)

Jonathan,

> I like this proposal, it could be useful to add a simpler api that has
> defaults matching the NIST recommendation:
> hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);

Checkout the other thread about adding a simple password API.

As far as implementing that as well, I don't care for it. Basically,
the reason is that it limits the algorithms that can be called by
hash_password. Specifically scrypt would not be possible, because it
has more parameters than that.

> My point being that:
>
> $hash = hash_password('1234', 'my'. $password[1] .
> 'super-long-salt-secret');
>
> Gives good enough security 80% of use cases and is simpler then:
>
> $hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
> 'super-long-salt-secret', 1000);
>
> Developers will still use sha1 or md5 because they are so simple.

The goal of this API addition is not to simplify anything. It's to
provide a C implementation of the PBKDF2 algorithm. The other topic
about password hashing has the simplification goal.

Anthony