Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60999
Return-Path: <arvids.godjuks@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10441 invoked from network); 27 Jun 2012 13:23:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2012 13:23:50 -0000
Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: arvids.godjuks@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gg0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:40763] helo=mail-gg0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AF/78-02132-5690BEF4 for <internals@lists.php.net>; Wed, 27 Jun 2012 09:23:50 -0400
Received: by ggnf2 with SMTP id f2so1006125ggn.29
        for <internals@lists.php.net>; Wed, 27 Jun 2012 06:23:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=wDkggKAaGo25Tnz1QfPzJM1yFjYz8+oZCP0EyQAeX8I=;
        b=DUntxF35NQOWy8rAjNY6c2VWYhdNGkvyfqdZuetjSAHYeVgCW7RZDViDjnfx1j+ksp
         nohfTi9RnUo0ihncvaCkaq5wVLy2wZRXczESoV4L2Yg3JhDUOoNROkA0uZpTg6s3IhHS
         7xqmRfRhiVKdd4pHwCJA0RzxPBglqqdHVg11P/Vv8TkpsG9X5gdV7lMC4cet4Jg8caKe
         hL3yA4rtz7IeDFk2a0+ENa0Ksjj5SJF5BJmSD2mPMNa90tr4W5oAIbP6ddNaR41XjNG4
         JYErH7st4IlKqJHikXOGYC46xSOLl0XDaChs+ocWNeuaqTn7wWDbSTQQLN9TGXAiekAh
         /Ffw==
Received: by 10.42.90.5 with SMTP id i5mr10923109icm.44.1340803426702; Wed, 27
 Jun 2012 06:23:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.164.134 with HTTP; Wed, 27 Jun 2012 06:23:26 -0700 (PDT)
In-Reply-To: <CAAyV7nFY_BbKQ5BPZ8Huzrc7114n5XeibTRpJ-MSJhW9apPscg@mail.gmail.com>
References: <CAAyV7nH6FCZUqrirJ0uOApuwR64Cky3cVnRfbrcjkZrpOKiN6w@mail.gmail.com>
 <CAJWj5+EA3vnNRMBxtVjcPhz1Ga5yqERkTnHoWsyx8Kxm05OEog@mail.gmail.com>
 <CAAyV7nETi6QxfAvPNFUzp02bX7Cm+ur5KnQH_CCahXH7qq7R_A@mail.gmail.com>
 <CAEZPtU7KGweFhOemFTc5O15DW4PK3qWErET+kx09Fa57JF2MhQ@mail.gmail.com>
 <op.wgj8g0h7idpuyk@damnation> <CAEZPtU4iPak5L3Ei=TKS9cnBY_vpEbRCbzSeqt8VUGye-m60Nw@mail.gmail.com>
 <CAAyV7nEq98jokXwu2eu4oiOpkEvQTEMaFb2fKk3DE=tiUi9-zQ@mail.gmail.com>
 <op.wgkaf1ocidpuyk@damnation> <CAEZPtU4bH9Mpj40OYP=k4oTQGhfdp3btf11GwvLUo59XS8O2uA@mail.gmail.com>
 <CAAyV7nFY_BbKQ5BPZ8Huzrc7114n5XeibTRpJ-MSJhW9apPscg@mail.gmail.com>
Date: Wed, 27 Jun 2012 16:23:26 +0300
Message-ID: <CAL0xaBEVkdCqy6sorYn7fpgx3sGs4NNmj+BGLUfjUeD+UVTqDA@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Pierre Joye <pierre.php@gmail.com>, Gustavo Lopes <glopes@nebm.ist.utl.pt>, 
	Simon Schick <simonsimcity@gmail.com>, internals@lists.php.net
Content-Type: multipart/alternative; boundary=90e6ba5bc293f655cf04c3741f0e
Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API
From: arvids.godjuks@gmail.com (Arvids Godjuks)

--90e6ba5bc293f655cf04c3741f0e
Content-Type: text/plain; charset=UTF-8

Hello.

I personally think that using PASSWORD_DEFAULT for algorythm by default is
a bad idea. This should be defined by user in the code. Even worse if it is
defined by .ini setting - deploy to a remote server and realize that there
is a different .ini default that messes up everything. Lessons learned in
the past are forgetten fast?

And the thing I don't get is how do I verify a salted password? I have read
throught the RFC and what I know about the salts makes me wonder - how da
hell I will verify my salted hash if I can't pass the salt to
password_verify?

If there is some trick behind, it should be explained in the RFC (and in
the docs later, because otherwise it makes people WTF?! who are not into
cryptography).

Arvids.

--90e6ba5bc293f655cf04c3741f0e--