Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60997 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7341 invoked from network); 27 Jun 2012 13:08:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 13:08:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:57894] helo=mail-qc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4A/C7-02132-6C50BEF4 for ; Wed, 27 Jun 2012 09:08:23 -0400 Received: by qcsg15 with SMTP id g15so574562qcs.13 for ; Wed, 27 Jun 2012 06:08:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=UAs0x34bzqUTReMssPGvDPjplX7PhyZxxbmOvYoWaCY=; b=O4Am91846uoHa5BvgZhFQgjaDJc4NP5t8fRdCtvCVHLMl2yAtz5EPRZhYrGlyDg3kp DYMt1BkOKyLFFC4smPhgz/kzLUOzhrbwhgcjipD2Epd94vUxqKCFToC3SIQqoMD2beSB 37uF+Qh6jhYhIwkUUsBloFv9MNWrVYF1sCVQCezrls8eDdIH/e65WtWtQcMU5AFbr19C vPcM2DG+vrsQfPgD68CAP9mw5LzjDINQF9WWaruSDyTD2HEl9yCrdP3i55l2h6zxbUYU lWgWHPRCUcDIyqt58cRg9S8+QEnkNwyAfzEA7veC6URfNZxrEtbF46K+iOb1mceMIBC3 KEZA== MIME-Version: 1.0 Received: by 10.224.78.195 with SMTP id m3mr31166916qak.1.1340802499800; Wed, 27 Jun 2012 06:08:19 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Wed, 27 Jun 2012 06:08:19 -0700 (PDT) In-Reply-To: References: Date: Wed, 27 Jun 2012 09:08:19 -0400 Message-ID: To: Pierre Joye Cc: Gustavo Lopes , Simon Schick , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Pierre, > Back then MD5 alone was all nice and shiny. So no, it is not possible > to be forward compatible. By forward compatible, if you mean able to support any new algo, I think this is forward compatible. The options array allows for new implementations to implement whatever options they need. If you mean 100% compatibility, then no. That's not possible (due to storage requirements, etc). But the API would stay the same... >> =A0For >> instance, if the default hash at one point consumes n bytes, then it may= be >> backwards incompatible to change to use more than n bytes as at that poi= nt >> you may need a larger database field. So it should be documented with fu= ture > > It is not about size but ability to use the password across many > applications. The days were only PHP were involved are behind us. yes, > crypt may (in some extend) allows that, but this RFC purpose is to > replace it, for a more developer friendly API. This RFC does not intend to replace crypt(). It is intended to be a reasonably thin wrapper around it to make it easier to use for the average use case. Crypt() will still be there, and will still be encouraged for the use-cases that it makes sense for (portability, etc). This just attempts to solve the problem for the vast majority of users. In fact, the exposed password_make_salt() should make it easier for developers to use crypt: $hash =3D crypt($pass, "$6$" . password_make_salt(16)); Thanks, Anthony