Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60992
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99536 invoked from network); 27 Jun 2012 12:24:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2012 12:24:42 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.51 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.51 mail-qa0-f51.google.com  
Received: from [209.85.216.51] ([209.85.216.51:53698] helo=mail-qa0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F3/36-02132-A8BFAEF4 for <internals@lists.php.net>; Wed, 27 Jun 2012 08:24:42 -0400
Received: by qaea16 with SMTP id a16so854415qae.10
        for <internals@lists.php.net>; Wed, 27 Jun 2012 05:24:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=zJET5ganoDQuvFdkIUbHDBxy9sBIhUK+rWDbLz/e7aQ=;
        b=Z8iXbrGAvEGDfzWC5ArUP6lSbdJWh+z7AGBYz4PXHJl248F8mw3b9Q3hDaumqu+Ow5
         7fOzMopE3WpuXWc0QSKNdLldFTkoDEJ2rfNymHQswrqoCrzkSp5uDOROeI2mQkwhUz3L
         jnPnQ0Pz/n/nD4rGxfHfxRL0/AzAvvN0jHB6YZK1N1K+xGfmpmZdYqoLDBCf7/ESPzUS
         y1UY/kg/8PI1p4XqADeNhi//teMCNPeF6LexcwZCLa+dRuh7J1L8172qogR+CSKCiufm
         MqLvaGtH309h75oTuxy4VjmXyn0eYAxTeiqn1hsP3HmE13DYbI3yQUtXUlqoLK5+gSqz
         BrOg==
MIME-Version: 1.0
Received: by 10.224.205.195 with SMTP id fr3mr30350245qab.68.1340799879166;
 Wed, 27 Jun 2012 05:24:39 -0700 (PDT)
Received: by 10.229.232.11 with HTTP; Wed, 27 Jun 2012 05:24:39 -0700 (PDT)
In-Reply-To: <CAEZPtU4iPak5L3Ei=TKS9cnBY_vpEbRCbzSeqt8VUGye-m60Nw@mail.gmail.com>
References: <CAAyV7nH6FCZUqrirJ0uOApuwR64Cky3cVnRfbrcjkZrpOKiN6w@mail.gmail.com>
	<CAJWj5+EA3vnNRMBxtVjcPhz1Ga5yqERkTnHoWsyx8Kxm05OEog@mail.gmail.com>
	<CAAyV7nETi6QxfAvPNFUzp02bX7Cm+ur5KnQH_CCahXH7qq7R_A@mail.gmail.com>
	<CAEZPtU7KGweFhOemFTc5O15DW4PK3qWErET+kx09Fa57JF2MhQ@mail.gmail.com>
	<op.wgj8g0h7idpuyk@damnation>
	<CAEZPtU4iPak5L3Ei=TKS9cnBY_vpEbRCbzSeqt8VUGye-m60Nw@mail.gmail.com>
Date: Wed, 27 Jun 2012 08:24:39 -0400
Message-ID: <CAAyV7nEq98jokXwu2eu4oiOpkEvQTEMaFb2fKk3DE=tiUi9-zQ@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Gustavo Lopes <glopes@nebm.ist.utl.pt>, Simon Schick <simonsimcity@gmail.com>, 
	internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API
From: ircmaxell@gmail.com (Anthony Ferrara)

Pierre,

>> As I understand, hashes computed with the old default method could still=
 be
>> checked without any modification as the hash itself stores information a=
bout
>> the method.
>
> That's only about one relatively simple use case where only PHP would
> be involved or crypt-like implemenation. For any other and rather
> common cases, it won't. I do not think a default should be implemented
> and actually let the user knows what he uses and what he is doing.
> That's one argument after all and clears all possible caveats.

Well, the argument could be made that if you need portability in that
respect, that you should be using `crypt()` or the other library
directly. This API is designed for the common use-case that impacts
99.9% of developers, where their applications will be the only ones
accessing the passwords. And even if in the future they need to access
it from a different system entirely (python for example), we're only
implementing standard algorithms. So there should be a python binding
available to verify (and hash) those passwords.

This won't take the place of crypt() or other libraries. It's only
there to solve the lowest common denominator in a dirt simple way. I
think removing the default (and forcing an algorithm specification)
kind-of defeats that point a little bit. It's not the end of the
world, and I could possibly be convinced, but I'm skeptical.

As for the issue you raised, I think that could be handled in the
documentation. Perhaps something to the effect of:

> PASSWORD_DEFAULT - This is the default algorithm that password_hash will =
use if none is specified. Note that this is designed to change over time as=
 newer and stronger algorithms are implemented. If you need to stay with a =
single algorithm (for portability or other reasons), it's recommended to al=
ways specify the algorithm in the function call.

Actually, now that I'm talking that out, perhaps the way to do it
would be to specify the default algorithm in a php.ini parameter
instead of the constant? That way the API can stay the same, but gives
people more control over the default creation... Then again, maybe
not.

Thoughts?

Anthony