Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60994 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2823 invoked from network); 27 Jun 2012 12:43:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 12:43:40 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gg0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:59736] helo=mail-gg0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/D6-02132-AFFFAEF4 for ; Wed, 27 Jun 2012 08:43:38 -0400 Received: by ggnf2 with SMTP id f2so959507ggn.29 for ; Wed, 27 Jun 2012 05:43:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gzSW+A2DIaYLLPflxMFmIPqY3KNEv1Qvhh7Yrndk7bo=; b=ITe2xqHoZ8wN/pm5vDJ/IC4LkQxkmXV+vvGNDgmnmACyiGP7Dogi+/NAdvD4Das9pz +v28vGJCIMBgG6BEFdZMJyD0yZ0dkAM+OBZEUXnyK7vMDPASZyuOL0YQuYaeI2QIJ4sQ ps9WYg0ELVhKrUQfwbNvvr9grDs/N7w5cIsU6T1Ivx1h/nyZCM7hxn1ouIX8EBiIalfS ye0VZ6E+Wk0kypENFvZ+fcx+CiZ5iG/O8AKE+6AEbQHnDIER4XSI7wVyYk8LEaDv1fay LAlANkRY15V+0eoxUAPJLPnu5Gw/QVC/vX1RrN/Je7MHLkah0+Xe1+jFDzJt0qRQGZK0 OmZw== MIME-Version: 1.0 Received: by 10.236.173.135 with SMTP id v7mr22274734yhl.19.1340801015997; Wed, 27 Jun 2012 05:43:35 -0700 (PDT) Received: by 10.147.113.7 with HTTP; Wed, 27 Jun 2012 05:43:35 -0700 (PDT) In-Reply-To: References: Date: Wed, 27 Jun 2012 14:43:35 +0200 Message-ID: To: Gustavo Lopes Cc: Anthony Ferrara , Simon Schick , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: pierre.php@gmail.com (Pierre Joye) hi, On Wed, Jun 27, 2012 at 2:32 PM, Gustavo Lopes wrote: > Em Wed, 27 Jun 2012 14:24:39 +0200, Anthony Ferrara > escreveu: > > >> Actually, now that I'm talking that out, perhaps the way to do it >> would be to specify the default algorithm in a php.ini parameter >> instead of the constant? That way the API can stay the same, but gives >> people more control over the default creation... Then again, maybe >> not. >> >> Thoughts? > > > I don't see any advantage in adding complexity through another level of > indirection. If people want control over the default their application uses, > they can just use a constant they define. And people will have to, as I described it earlier, and see below. > That said, I think the default algorithm should provide sufficient > guarantees to enable it to be used in a forward compatible fashion. Back then MD5 alone was all nice and shiny. So no, it is not possible to be forward compatible. > For > instance, if the default hash at one point consumes n bytes, then it may be > backwards incompatible to change to use more than n bytes as at that point > you may need a larger database field. So it should be documented with future It is not about size but ability to use the password across many applications. The days were only PHP were involved are behind us. yes, crypt may (in some extend) allows that, but this RFC purpose is to replace it, for a more developer friendly API. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org