Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61009 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50755 invoked from network); 27 Jun 2012 22:03:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2012 22:03:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-wg0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:64403] helo=mail-wg0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 12/E1-36936-2438BEF4 for ; Wed, 27 Jun 2012 18:03:47 -0400 Received: by wgbfg15 with SMTP id fg15so1208736wgb.11 for ; Wed, 27 Jun 2012 15:03:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=drwoXDMEjmCdasa4zn+4V0ugkJ/KsozJ6dPwtcTgp6Q=; b=Dr5KGpwdPk33SauKM519Bn+HOyMU1KyirFcm0TfeWuon2PGc5oPqLdQG9aTbsj5P9M CCczTgPMYLCM0u493lTmtudn0l3xo2HkF+zyGTtA4A2dd2tGG+dMf002jpoDTUlYrz8R faBP+rGWy15KEEhRSyoLUPQu0naowhdaJiUCFEcLgR+F8DBXtlwLRK8lFLxyDPHCGxQA tKj8e3T1/jSaWtKgr5neoJm/CsGntHPAtMFLhFkQMyryNI2y0zfSWa6nxJCPpBmhGdxU lNhoC5rKJa7IgrqQ03JfQl29zNtgk51mR+z50EcG5H5Loo9mzR8ehGtx6ffsHGqQn19C +GJw== Received: by 10.216.80.22 with SMTP id j22mr11749414wee.198.1340834622286; Wed, 27 Jun 2012 15:03:42 -0700 (PDT) Received: from [192.168.1.26] (171.Red-83-32-9.dynamicIP.rima-tde.net. [83.32.9.171]) by mx.google.com with ESMTPS id ch9sm23529070wib.8.2012.06.27.15.03.40 (version=SSLv3 cipher=OTHER); Wed, 27 Jun 2012 15:03:41 -0700 (PDT) Message-ID: <4FEB8327.90005@gmail.com> Date: Thu, 28 Jun 2012 00:03:19 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: Pierre Joye CC: Gustavo Lopes , Anthony Ferrara , internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) On 27/06/12 18:13, Pierre Joye wrote: > Changing default value forces code change if you have to keep a given > hash, for one obvious side effect. > > If you disagree or does not like the idea, that's all fine, but you > can't really say that it is not an argument (nothing to justify, this > is a draft and it is being discussed). > > Cheers, Precisely the point of such constant is to allow the applications to magically change to use more secure hashes, without needing to parform a recursive sed in the codebase to change HASH_SHA2015 with HASH_SHA2048. If you want to be in precise control of the actual hash used in a newer version (such as an hereogeneous deployment), you could set it to the lower denominator in php.ini. Obviously, any such bump -which I would expect to happen on major releases- would hold an entry in the NEWS file explaining that PASSWORD_DEFAULT_HASH is now md5 by default instead of crc32 (still, I would expect a new hash to have been available on several releases -they could easily be added on minor ones- before becoming the PASSWORD_DEFAULT_HASH). Remember that the goal was to make the next-generation password hasing api. An (almost) foolproof way to make the applications secure. If you expect them to timely realise the problems of md5() and go back to change all their functions, you will replace the current function with password_hash('password', SILLY_HASH, ...). Developers with higher security knowledge (few of them, you'd almost need to be a cryptographer yourself) can use the advanced parameters to tweak it to their needs. Regards