Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61080 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75331 invoked from network); 3 Jul 2012 11:53:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2012 11:53:31 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.49 mail-qa0-f49.google.com Received: from [209.85.216.49] ([209.85.216.49:35075] helo=mail-qa0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 37/E5-42839-A3DD2FF4 for ; Tue, 03 Jul 2012 07:53:30 -0400 Received: by qabj40 with SMTP id j40so2768650qab.8 for ; Tue, 03 Jul 2012 04:53:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NUuKPJGwZZ4NWZ0BByLyn2iXtfwx4UVpy1cc7fnRwck=; b=GUGaPkJvYUwWnf17UnoUH8BScOFZ2aA/xniTCvoeniE9Jn8cAl5dBsd5rWbm99iT/q zpCYA49tnxlMnEFE174qjhPcEzH40SVvP/QUqT60A6C4cqI5YI8Y+mgjFkrsKi581AlW iUU0b2ZPfSAkiVi7DZiEFvMotAtFTrd9Y6oj/gv63QwGhRdk164C44NHmADEMu97Gv+i Zo/5LMfY4GVgk46VQ+/V9HNdtCm+aGDZrvThgJL0x11qVjkrGqnLjjWMx8eGDTWiSxJn j3GMr6SIvJEkVXohTAXnJQAOesxxORbnqiar9KHFJ02XPl86+R0yYpZIQZO7ZdPQx6r1 RiYQ== MIME-Version: 1.0 Received: by 10.224.175.8 with SMTP id v8mr18724542qaz.47.1341316407183; Tue, 03 Jul 2012 04:53:27 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Tue, 3 Jul 2012 04:53:27 -0700 (PDT) In-Reply-To: References: Date: Tue, 3 Jul 2012 07:53:27 -0400 Message-ID: To: Pierre Joye Cc: Gustavo Lopes , Simon Schick , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) Pierre, Getting back to the PASSWORD_DEFAULT discussion... I know you didn't like PASSWORD_MOST_SECURE. So what about keeping PASSWORD_DEFAULT as a moving target, documented, and just making the second parameter (algo) to password_hash required? That way users could choose between PASSWORD_BCRYPT and PASSWORD_DEFAULT. That way, over time, PASSWORD_DEFAULT could be updated, and it would be documented that it would change. But it would require them to understand that it could change... Would that satisfy your issues? Thanks, Anthony On Wed, Jun 27, 2012 at 8:12 AM, Pierre Joye wrote: > hi, > > On Wed, Jun 27, 2012 at 1:49 PM, Gustavo Lopes wrote: >> Em Wed, 27 Jun 2012 13:37:50 +0200, Pierre Joye >> escreveu: >> >> >>> That's exactly what I meant, having a changing default in this may >>> force code change during php updates. I'm not in favour of having such >>> default. >>> >> >> This would not require any code changes after updates. >> >> As I understand, hashes computed with the old default method could still be >> checked without any modification as the hash itself stores information about >> the method. > > That's only about one relatively simple use case where only PHP would > be involved or crypt-like implemenation. For any other and rather > common cases, it won't. I do not think a default should be implemented > and actually let the user knows what he uses and what he is doing. > That's one argument after all and clears all possible caveats. > > Cheers, > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org