Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60993
Return-Path: <glopes@nebm.ist.utl.pt>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1263 invoked from network); 27 Jun 2012 12:32:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2012 12:32:21 -0000
Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error)
X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt
X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6
Received: from [193.136.128.21] ([193.136.128.21:60911] helo=smtp1.ist.utl.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8A/86-02132-45DFAEF4 for <internals@lists.php.net>; Wed, 27 Jun 2012 08:32:21 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id 5F3AA70003E4;
	Wed, 27 Jun 2012 13:32:17 +0100 (WEST)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp1.ist.utl.pt ([127.0.0.1])
	by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025)
	with LMTP id q713GCpYNYE6; Wed, 27 Jun 2012 13:32:17 +0100 (WEST)
Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id BA44C70003CE;
	Wed, 27 Jun 2012 13:32:16 +0100 (WEST)
Received: from damnation (5ED2BD93.cm-7-3c.dynamic.ziggo.nl [94.210.189.147])
	(Authenticated sender: ist155741)
	by mail2.ist.utl.pt (Postfix) with ESMTPSA id 62305200A84E;
	Wed, 27 Jun 2012 13:32:16 +0100 (WEST)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: "Pierre Joye" <pierre.php@gmail.com>, "Anthony Ferrara"
 <ircmaxell@gmail.com>
Cc: "Simon Schick" <simonsimcity@gmail.com>, internals@lists.php.net
References: <CAAyV7nH6FCZUqrirJ0uOApuwR64Cky3cVnRfbrcjkZrpOKiN6w@mail.gmail.com> <CAJWj5+EA3vnNRMBxtVjcPhz1Ga5yqERkTnHoWsyx8Kxm05OEog@mail.gmail.com> <CAAyV7nETi6QxfAvPNFUzp02bX7Cm+ur5KnQH_CCahXH7qq7R_A@mail.gmail.com> <CAEZPtU7KGweFhOemFTc5O15DW4PK3qWErET+kx09Fa57JF2MhQ@mail.gmail.com> <op.wgj8g0h7idpuyk@damnation> <CAEZPtU4iPak5L3Ei=TKS9cnBY_vpEbRCbzSeqt8VUGye-m60Nw@mail.gmail.com> <CAAyV7nEq98jokXwu2eu4oiOpkEvQTEMaFb2fKk3DE=tiUi9-zQ@mail.gmail.com>
Date: Wed, 27 Jun 2012 14:32:15 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: =?utf-8?Q?N=C3=BAcleo_de_Eng=2E_Biom=C3=A9di?=
 =?utf-8?Q?ca_do_I=2ES=2ET=2E?=
Message-ID: <op.wgkaf1ocidpuyk@damnation>
In-Reply-To: <CAAyV7nEq98jokXwu2eu4oiOpkEvQTEMaFb2fKk3DE=tiUi9-zQ@mail.gmail.com>
User-Agent: Opera Mail/12.01 (Linux)
Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API
From: glopes@nebm.ist.utl.pt ("Gustavo Lopes")

Em Wed, 27 Jun 2012 14:24:39 +0200, Anthony Ferrara <ircmaxell@gmail.com>  
escreveu:

> Actually, now that I'm talking that out, perhaps the way to do it
> would be to specify the default algorithm in a php.ini parameter
> instead of the constant? That way the API can stay the same, but gives
> people more control over the default creation... Then again, maybe
> not.
>
> Thoughts?

I don't see any advantage in adding complexity through another level of  
indirection. If people want control over the default their application  
uses, they can just use a constant they define.

That said, I think the default algorithm should provide sufficient  
guarantees to enable it to be used in a forward compatible fashion. For  
instance, if the default hash at one point consumes n bytes, then it may  
be backwards incompatible to change to use more than n bytes as at that  
point you may need a larger database field. So it should be documented  
with future changes in mind.

-- 
Gustavo Lopes