Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61069 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79582 invoked from network); 2 Jul 2012 19:58:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Jul 2012 19:58:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 141.146.126.227 as permitted sender) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.227 acsinet15.oracle.com Received: from [141.146.126.227] ([141.146.126.227:21882] helo=acsinet15.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2B/10-13131-64DF1FF4 for ; Mon, 02 Jul 2012 15:57:58 -0400 Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q62JvrwJ021939 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Jul 2012 19:57:54 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q62JvrSv023605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Jul 2012 19:57:53 GMT Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q62JvrxV006598; Mon, 2 Jul 2012 14:57:53 -0500 Received: from [130.35.70.154] (/130.35.70.154) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 02 Jul 2012 12:57:52 -0700 Message-ID: <4FF1FD40.8000406@oracle.com> Date: Mon, 02 Jul 2012 12:57:52 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Anthony Ferrara CC: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet22.oracle.com [141.146.126.238] Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: christopher.jones@oracle.com (Christopher Jones) On 06/27/2012 07:16 AM, Anthony Ferrara wrote: > Arvids, > > On Wed, Jun 27, 2012 at 9:23 AM, Arvids Godjuks > wrote: >> Hello. >> >> I personally think that using PASSWORD_DEFAULT for algorythm by default is a >> bad idea. This should be defined by user in the code. Even worse if it is >> defined by .ini setting - deploy to a remote server and realize that there >> is a different .ini default that messes up everything. Lessons learned in >> the past are forgetten fast? > > It wouldn't mess up anything. All it would do is change the algorithm > used by the library when creating new passwords. Existing ones will > still validate. The new ones will validate on the old server as long > as that algorithm is supported (could be an issue in a mixed > environment where there are servers using an older version without > support for the new method in crypt())... Hi Anthony, Can you update the RFC (aka future documentation) and make this obvious to an end user? Chris -- christopher.jones@oracle.com http://twitter.com/#!/ghrd