Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61072 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95921 invoked from network); 2 Jul 2012 21:22:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Jul 2012 21:22:06 -0000 Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 141.146.126.227 as permitted sender) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.227 acsinet15.oracle.com Received: from [141.146.126.227] ([141.146.126.227:41185] helo=acsinet15.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 21/B3-13131-CF012FF4 for ; Mon, 02 Jul 2012 17:22:05 -0400 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q62LM0B0032344 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 2 Jul 2012 21:22:01 GMT Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q62LM0Hw003497 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Jul 2012 21:22:00 GMT Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q62LLxiw030029; Mon, 2 Jul 2012 16:22:00 -0500 Received: from [130.35.70.154] (/130.35.70.154) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 02 Jul 2012 14:21:59 -0700 Message-ID: <4FF210F7.7070307@oracle.com> Date: Mon, 02 Jul 2012 14:21:59 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 To: Anthony Ferrara CC: internals@lists.php.net References: <4FF1FD89.6090308@oracle.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: christopher.jones@oracle.com (Christopher Jones) On 07/02/2012 01:55 PM, Anthony Ferrara wrote: > Chris, > >> Can you update the RFC (aka future documentation) and make this obvious >> to an end user? > > I just made an update (in the behavior sections). Let me know if > additional clarification is needed. To be honest, a note next to PASSWORD_DEFAULT would be good too. >> The API of password_make_salt() seems restrictive. What if other >> options are needed in future? > > Can you give any examples of what options would be needed in the > future, or how you would like to see the API? I only have brainstorm thoughts on this, since I don't have a crystal ball. What if characters other than a-zA-Z0-9./ should/can be used for some PASSWORD_xxx algorithms? What if some seed is needed? What if the salt creation algorithm should be swappable due to resource usage reasons, etc? Also, do you really need a php.ini parameter? It's yet another potential way to attack a system. Chris -- christopher.jones@oracle.com http://twitter.com/#!/ghrd