Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61013 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 89442 invoked from network); 28 Jun 2012 02:06:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jun 2012 02:06:55 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.42 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.42 mail-qa0-f42.google.com Received: from [209.85.216.42] ([209.85.216.42:57502] helo=mail-qa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 40/43-08168-F3CBBEF4 for ; Wed, 27 Jun 2012 22:06:55 -0400 Received: by qafi31 with SMTP id i31so3155665qaf.8 for ; Wed, 27 Jun 2012 19:06:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=idHcxvp2DfV2fafSiwMTUQdkZmstoWuafDI4s9hnWCw=; b=RlEjuN8cCPK4KEAj/oyWhBj8gvARia/gKM6mhgcEHfGjC23fSo4qlFUHRXf6GJq5JA fyv/f89PBBtFKPeaTvajbv4F3EE7dhB1rPLm4cWsQvjRAYwaCULqkwLD1WQPwTaBVMPz jftz6ZCNzn46C2QIp/sQjs0N9aFaKeKG4R1Ba3CjKEexZOl3e2TU9WTVUooPoWs4ECwD Xl7E9ugQeJT1eJSyXRBLQa7M2k+RhKebPojQ5KAp0l5Mqit1RCtxKhYuReorDF/hrV52 BfwnlRK732HyIy3nRcxvDiUiAgpYyvqbiVI/dma0NJUhsShSqieWtRFNfswuqS0DBVWF 64mw== MIME-Version: 1.0 Received: by 10.224.179.6 with SMTP id bo6mr738054qab.17.1340849212540; Wed, 27 Jun 2012 19:06:52 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Wed, 27 Jun 2012 19:06:52 -0700 (PDT) In-Reply-To: References: Date: Wed, 27 Jun 2012 22:06:52 -0400 Message-ID: To: Pierre Joye Cc: Gustavo Lopes , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Pierre, > No, it is exactly one example out of many where changing values are a > real pain to deal with over the years. We should not have one. While I completely see your point (and don't disagree with it in isolation), I also see the counter point of making it easy for people to use. Knowing anything about algorithms to force the common developer to make a choice between bcrypt and scrypt is unreasonable IMHO. It's an implementation detail that they should know, but most won't. Knowing the intricacies of the different algorithms is something even most senior devs (who are not active in security at least) don't understand. I'd rather present them best-case defaults, and let them make the decision to diverge from them. With that said, what about a compromise. What if we made the API: password_hash($password, $algo, array $options = array()) And instead of just making the users choose which algorithm to use, we provide a "moving" constant called PASSWORD_MOST_SECURE Which will be updated every major release (assuming there's an update to apply) or in extreme circumstances (a serious flaw is found in the current most secure algorithm, justifying a concern). That way, people don't have to worry about moving targets, because the core moves it for them as needed. But the choice has to be made. They aren't just relying upon the default. And the documentation surrounding it must indicate that if cross-platform interoperability is a concern, pick a standard algorithm such as bcrypt and use just that. So then, a basic call would be $hash = password_hash($password, PASSWORD_MOST_SECURE); It solves both problems, while still being reasonably easy... Thoughts? Anthony