Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61073 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14800 invoked from network); 2 Jul 2012 23:23:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Jul 2012 23:23:11 -0000 Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.49 mail-qa0-f49.google.com Received: from [209.85.216.49] ([209.85.216.49:54557] helo=mail-qa0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/97-13131-E5D22FF4 for ; Mon, 02 Jul 2012 19:23:11 -0400 Received: by qabj40 with SMTP id j40so2506066qab.8 for ; Mon, 02 Jul 2012 16:23:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TeE6VMUru+v8UV0AfN2sk5DZ8W9Km8wL0d7nOn5WyzA=; b=bp4Xr96zzn1wbo8NJ3iBB55nUh6hM3jfuASDDmI+ebvmINAnTdKtZx66zEuNh5Px4X Q0alrAVrwVnxUp5ONraERtjlASSPjhNPqqqAVOY0Wk/QQdZ1fRs5WSXlTT/7jyFzJhIw XvZSiPWOmPHFmfFNCLFf+MSFuup0QaEZmSzTUZnBpvxBs6ltSFWPXHHVMUeBaPsdYVUO xeve7zu0GkF6WuwyTvO/pPklMcblUZGelSUHinHSXnu+qSfb4aMZm132DhAQEgQe24Rt y4DSQXSDEVNbqQ1ezs/zaWawNPY427JCsVc83smbBSt4q+7pP4VjNxV06j69UvOuIqwM Up+A== MIME-Version: 1.0 Received: by 10.224.117.13 with SMTP id o13mr26385097qaq.73.1341271388160; Mon, 02 Jul 2012 16:23:08 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Mon, 2 Jul 2012 16:23:08 -0700 (PDT) In-Reply-To: <4FF210F7.7070307@oracle.com> References: <4FF1FD89.6090308@oracle.com> <4FF210F7.7070307@oracle.com> Date: Mon, 2 Jul 2012 19:23:08 -0400 Message-ID: To: Christopher Jones Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Chris, > To be honest, a note next to PASSWORD_DEFAULT would be good too. Ok, I'll add that in shortly. >>> The API of password_make_salt() seems restrictive. =A0What if other >>> options are needed in future? >> >> >> Can you give any examples of what options would be needed in the >> future, or how you would like to see the API? > > > I only have brainstorm thoughts on this, since I don't have a crystal > ball. =A0What if characters other than a-zA-Z0-9./ should/can be used > for some PASSWORD_xxx algorithms? =A0What if some seed is needed? =A0What > if the salt creation algorithm should be swappable due to resource > usage reasons, etc? Actually... What about making the `raw_output` parameter a bitmask. Then provide: PASSWORD_SALT_CRYPT =3D 1 PASSWORD_SALT_RAW =3D 2 Then, in the future you could add a bunch of others PASSWORD_SALT_SOMETHING= ELSE. And you could combine some: PASSWORD_SALT_DEV_RANDOM, PASSWORD_SALT_WAHTEVE= R... > Also, do you really need a php.ini parameter? =A0It's yet another > potential way to attack a system. Well, if not for an ini parameter, what way would you suggest to alter the default bcrypt cost? (seriously, I'm open to suggestions)... Thanks, Anthony