Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60962 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94154 invoked from network); 25 Jun 2012 15:43:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Jun 2012 15:43:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:52461] helo=mail-qc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1C/F5-56161-41788EF4 for ; Mon, 25 Jun 2012 11:43:17 -0400 Received: by qcsg15 with SMTP id g15so2520474qcs.13 for ; Mon, 25 Jun 2012 08:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=HnHRR3x8c9tcLlE+9HV+GkQd3SuUL8TMKwllQ3MV9WU=; b=FL3r7zcxtFyVZPqqDCZtdTQ36Msu3psyf5HPIizM8NU5Ep5g2tjd98BN2iP9TlW3Jn yjHC8jaZYgQLiXjbygg3Ka7qtSDxFK8kQuonLAernNIwc+DTj8A0xDv8HVYDAlrpvJXw 8cmQ8sMspCgbkgXhpj2sKGYZXtmlaRMGaw3s1DD5u0zcQmLl38DB0ZV2VnjBQqgeXgzQ gzQ/QylWE9QQMKDfBQw/VIY5P67F64bvJr5bjIKiP8pTLyfvMQT8wiyohVUC7vBBETlG aYUs5EgOmG2uHHf833YLzZOJz0VOD0EepWQ4ozDAEaXm/taTando2ZSCaDWPDeVwYULH wmNw== MIME-Version: 1.0 Received: by 10.229.136.10 with SMTP id p10mr5550405qct.131.1340638994082; Mon, 25 Jun 2012 08:43:14 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Mon, 25 Jun 2012 08:43:13 -0700 (PDT) In-Reply-To: References: <8714BC2A-45E2-4303-9769-8399AF316159@gmail.com> <3B162E01-67F6-4684-ACE7-40CAF73E9DC3@gmail.com> <4FE0FC9C.5070900@gmail.com> Date: Mon, 25 Jun 2012 11:43:13 -0400 Message-ID: To: PHP internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Adding a simple API for secure password hashing? From: ircmaxell@gmail.com (Anthony Ferrara) Hello again, I have put together a quick proof-of-concept for the password API. C: https://github.com/ircmaxell/php-src/blob/hash_password/ext/standard/password.c PHP (Implemented as a backwards-compatibility layer, so 5.3/5.4 users can use the API earlier): https://github.com/ircmaxell/password_compat/blob/master/lib/password.php It needs some work before it's ready for an RFC, but it works as intended. Right now, it defines 3 functions: password_create($password, $algo = PASSWORD_DEFAULT, array $options = array()) password_verify($password, $hash) password_make_salt($length, $raw_output = false) Some of the things I want to change include the ability to set the default bcrypt and sha* cost/round parameters via a php.ini setting (right now, it's just a c constant). I also want to refactor it a bit to clean it up. I also need to test it out fully... I also don't care for the amount of PHP function calls it makes (zend_call_method_with_n_params). But that may be ok, given the What do you think so far? Anthony On Wed, Jun 20, 2012 at 6:05 AM, Anthony Ferrara wrote: > Angel, > >> I don't think the code is the most appropiate one, but I suppose that's >> not a final proposal. > > Correct, it was just to fill out the interface a bit so that people > could play with it and see how the interface worked... > >> The interfaces look good to me. >> I'd maybe set the default $algo to PASSWORD_DEFAULT_HASH or similar, >> being a value bumped on each next revisions. > > Yeah, that's a good idea. Makes it easier to update without changing > the interface. > >> I would consider preferable to have the $ ofpassword_register_algoprefix >> implicit. > > That's fair. > > Thanks, > > Anthony