Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61000 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14198 invoked from network); 27 Jun 2012 14:16:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 14:16:11 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:63053] helo=mail-qc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/19-02132-AA51BEF4 for ; Wed, 27 Jun 2012 10:16:11 -0400 Received: by qcsg15 with SMTP id g15so624229qcs.13 for ; Wed, 27 Jun 2012 07:16:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MrNp2xgqevyBXL47osJXAwvCEDISsZUAgYVbEZpYCqw=; b=sizxPC1Y2SrYYB0esepNYFuGNt7U51uGG2gqgmp4eUFzXdJhAXc9uPhAoEgzDVoTtU sP+qnyhs0fHrg2FXuNB60g6lztdXSZFveXnaPTwcFrrJwKnnY93LSugtvzOtHWEhAx61 5HPpVCkwQGmXh/uaEo259PSb4e41v7eGCP9pzPRxD2NQaTuDT/IL2BK7eXkNYlYV6W2T AP9nuiGRTlYDDcT+L/vSSnB2H7viS6rBx/iYkN+8CiJxuj5NLRq+CQ90ZUahzr2LlTLU hwuJqJRtPHn+9iIgQWJspM//B1DjSCUG8+E4WwI+ujczXXNWEjbCQzCbq51oay/qGH3p WFJg== MIME-Version: 1.0 Received: by 10.224.205.195 with SMTP id fr3mr30863700qab.68.1340806567830; Wed, 27 Jun 2012 07:16:07 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Wed, 27 Jun 2012 07:16:07 -0700 (PDT) In-Reply-To: References: Date: Wed, 27 Jun 2012 10:16:07 -0400 Message-ID: To: Arvids Godjuks Cc: Pierre Joye , Gustavo Lopes , Simon Schick , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Arvids, On Wed, Jun 27, 2012 at 9:23 AM, Arvids Godjuks wrote: > Hello. > > I personally think that using PASSWORD_DEFAULT for algorythm by default is a > bad idea. This should be defined by user in the code. Even worse if it is > defined by .ini setting - deploy to a remote server and realize that there > is a different .ini default that messes up everything. Lessons learned in > the past are forgetten fast? It wouldn't mess up anything. All it would do is change the algorithm used by the library when creating new passwords. Existing ones will still validate. The new ones will validate on the old server as long as that algorithm is supported (could be an issue in a mixed environment where there are servers using an older version without support for the new method in crypt())... > And the thing I don't get is how do I verify a salted password? I have read > throught the RFC and what I know about the salts makes me wonder - how da > hell I will verify my salted hash if I can't pass the salt to > password_verify? Ah, I think I see the disconnect. crypt() returns the full salt information along with everything necessary to hash it (all settings). So the generated hash includes the salt, the method, and the cost parameter. For example: var_dump(crypt("rasmuslerdorf", "$2a$07$usesomesillystringfor")); string(60) "$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi" So just storing the hash is enough... > If there is some trick behind, it should be explained in the RFC (and in the > docs later, because otherwise it makes people WTF?! who are not into > cryptography). That's completely fair. I'll add a section to the RFC about that... Thanks, Anthony