Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61002
Return-Path: <arvids.godjuks@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26065 invoked from network); 27 Jun 2012 16:32:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2012 16:32:58 -0000
Authentication-Results: pb1.pair.com smtp.mail=arvids.godjuks@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=arvids.godjuks@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: arvids.godjuks@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-gh0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:62485] helo=mail-gh0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FD/70-22531-9B53BEF4 for <internals@lists.php.net>; Wed, 27 Jun 2012 12:32:57 -0400
Received: by ghbg2 with SMTP id g2so1277864ghb.29
        for <internals@lists.php.net>; Wed, 27 Jun 2012 09:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=lYX8pvbRdGuTp/EeXckLwkmh/GWiejSLTpRFAKzBZds=;
        b=MScttqv+C33IDYwlqz77NMrmksWKgNkLVSlVdhAgqjb+ycT6HWsdJxjh5fqQ2nnR/s
         PWSKPOYEX9w3EOxPjgs+qg9656FrHrU+JpalPCdpih9jRXZnNvx9tkRqahmbqCqJmgvl
         RTE39F19gmFSwDdXhhsdWFfh67XhsIiHz6JgQZ9C/CMuZq5OAfum4INW5BsO21Fb62tb
         EGkXSOWB2hgkGBRoFlylDQ8Fv1zH9Z6mMsKsKhiUzFv4wJo44XLonTDrzJ24GRgCXFsN
         Xla4B256QTvVHLQgA9qeab5iRJAKW1ZpY2pbWpTmwBm4OgJdf0FvXl571ACrrtJ0vr5O
         qTgw==
MIME-Version: 1.0
Received: by 10.50.76.137 with SMTP id k9mr2322618igw.25.1340814774425; Wed,
 27 Jun 2012 09:32:54 -0700 (PDT)
Received: by 10.64.164.134 with HTTP; Wed, 27 Jun 2012 09:32:54 -0700 (PDT)
Received: by 10.64.164.134 with HTTP; Wed, 27 Jun 2012 09:32:54 -0700 (PDT)
In-Reply-To: <CAAyV7nFrr4YSokgeJmCam0rqz_hJmXtzsN9L6eGcTYY80phU=A@mail.gmail.com>
References: <CAAyV7nH6FCZUqrirJ0uOApuwR64Cky3cVnRfbrcjkZrpOKiN6w@mail.gmail.com>
	<CAJWj5+EA3vnNRMBxtVjcPhz1Ga5yqERkTnHoWsyx8Kxm05OEog@mail.gmail.com>
	<CAAyV7nETi6QxfAvPNFUzp02bX7Cm+ur5KnQH_CCahXH7qq7R_A@mail.gmail.com>
	<CAEZPtU7KGweFhOemFTc5O15DW4PK3qWErET+kx09Fa57JF2MhQ@mail.gmail.com>
	<op.wgj8g0h7idpuyk@damnation>
	<CAEZPtU4iPak5L3Ei=TKS9cnBY_vpEbRCbzSeqt8VUGye-m60Nw@mail.gmail.com>
	<CAAyV7nEq98jokXwu2eu4oiOpkEvQTEMaFb2fKk3DE=tiUi9-zQ@mail.gmail.com>
	<op.wgkaf1ocidpuyk@damnation>
	<CAEZPtU4bH9Mpj40OYP=k4oTQGhfdp3btf11GwvLUo59XS8O2uA@mail.gmail.com>
	<CAAyV7nFY_BbKQ5BPZ8Huzrc7114n5XeibTRpJ-MSJhW9apPscg@mail.gmail.com>
	<CAL0xaBEVkdCqy6sorYn7fpgx3sGs4NNmj+BGLUfjUeD+UVTqDA@mail.gmail.com>
	<CAAyV7nFrr4YSokgeJmCam0rqz_hJmXtzsN9L6eGcTYY80phU=A@mail.gmail.com>
Date: Wed, 27 Jun 2012 19:32:54 +0300
Message-ID: <CAL0xaBERa3tcz8+48KwLLdr=rYMUAG6Kumf=OhKCEa5wnwwCuQ@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: internals@lists.php.net, Pierre Joye <pierre.php@gmail.com>, 
	Simon Schick <simonsimcity@gmail.com>, Gustavo Lopes <glopes@nebm.ist.utl.pt>
Content-Type: multipart/alternative; boundary=e89a8f23433b56d76d04c376c423
Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API
From: arvids.godjuks@gmail.com (Arvids Godjuks)

--e89a8f23433b56d76d04c376c423
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On that note I have only one request - please point me to the good article
that describes how this thing works (I would prefer one that at least tries
to explain in simple words) because at the moment i do not understand how
salt stored in the hash itself makes hash more secure than an unsalted one.

Thank you :-)
27.06.2012 14:16 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=
=B5=D0=BB=D1=8C "Anthony Ferrara" <ircmaxell@gmail.com>
=D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB:

> Arvids,
>
> On Wed, Jun 27, 2012 at 9:23 AM, Arvids Godjuks
> <arvids.godjuks@gmail.com> wrote:
> > Hello.
> >
> > I personally think that using PASSWORD_DEFAULT for algorythm by default
> is a
> > bad idea. This should be defined by user in the code. Even worse if it =
is
> > defined by .ini setting - deploy to a remote server and realize that
> there
> > is a different .ini default that messes up everything. Lessons learned =
in
> > the past are forgetten fast?
>
> It wouldn't mess up anything. All it would do is change the algorithm
> used by the library when creating new passwords. Existing ones will
> still validate. The new ones will validate on the old server as long
> as that algorithm is supported (could be an issue in a mixed
> environment where there are servers using an older version without
> support for the new method in crypt())...
>
> > And the thing I don't get is how do I verify a salted password? I have
> read
> > throught the RFC and what I know about the salts makes me wonder - how =
da
> > hell I will verify my salted hash if I can't pass the salt to
> > password_verify?
>
> Ah, I think I see the disconnect. crypt() returns the full salt
> information along with everything necessary to hash it (all settings).
> So the generated hash includes the salt, the method, and the cost
> parameter. For example:
>
> var_dump(crypt("rasmuslerdorf", "$2a$07$usesomesillystringfor"));
>
> string(60) "$2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi"
>
> So just storing the hash is enough...
>
> > If there is some trick behind, it should be explained in the RFC (and i=
n
> the
> > docs later, because otherwise it makes people WTF?! who are not into
> > cryptography).
>
> That's completely fair. I'll add a section to the RFC about that...
>
> Thanks,
>
> Anthony
>

--e89a8f23433b56d76d04c376c423--