Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61118 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65884 invoked from network); 9 Jul 2012 15:19:49 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Jul 2012 15:19:49 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.49 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.49 mail-qa0-f49.google.com Received: from [209.85.216.49] ([209.85.216.49:46002] helo=mail-qa0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 37/8F-36077-396FAFF4 for ; Mon, 09 Jul 2012 11:19:48 -0400 Received: by qabj40 with SMTP id j40so1868789qab.8 for ; Mon, 09 Jul 2012 08:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=NKhHbZMv8kYpROoPIiZnUhceCfIkdsXnDiTuD+k2W5U=; b=JeCSVV5RS/ajG/SccFzA1zKY5Rrs6ORq+jclYY9Bqkvg8uIfOMGRq7On4rKHzurl/Y LTmaTOAgVO8tOFr8BMf5cS04vQnKPxLz4dxvVkEBWhHJXwjU+5pqSYYP3nHaLYpLoSxH jGbWVZGZ1byF8HFXPFJRR7TqjG8Vnxo4UcpVKg+W6YWTCKhJ5iunpuJw78qs+dhzYCT2 5qnUEnwhmI+LjzrRtiiPpFeW8cd+yHqCGYjwhy9L3HMGe4Zs8t7UdqgIDfjltsJW0VnT OEZjXXjIcMyBto8V1v9vhbdxSs7uzLspuW7c/2TLPAtnoOagOqXprOg6DmqWMu+vmua2 hbDQ== MIME-Version: 1.0 Received: by 10.224.59.212 with SMTP id m20mr62636794qah.35.1341847184774; Mon, 09 Jul 2012 08:19:44 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Mon, 9 Jul 2012 08:19:44 -0700 (PDT) In-Reply-To: References: Date: Mon, 9 Jul 2012 11:19:44 -0400 Message-ID: To: Richard Lynch , internals@lists.php.net Content-Type: multipart/alternative; boundary=20cf3074d5b8ca950604c46724c5 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) --20cf3074d5b8ca950604c46724c5 Content-Type: text/plain; charset=ISO-8859-1 I've added a pair of new functions to the RFC and implementation: password_needs_rehash($hash, $algo, array $options = array()) and password_get_info($hash) both are reasonably similar and there's a fair bit of overlap. Considering that password_needs_rehash can be implemented easily in user-land, I'm not convinced it's needed. Then again, it's easy to implement and shouldn't pose a maintenance headache, so I'm not sure if it shouldn't be there either... What do you think? Anthony On Tue, Jul 3, 2012 at 5:24 PM, Anthony Ferrara wrote: > Richard, > > > There is also the case of an app that simple shouldn't run with the > > single default, but could pick and choose suitable algorithm from a > > list of defaults, while still honoring whatever is in the .ini file > > instead of going rogue with some other algorithm. > > I disagree there. I think that's up to the application to decide. A > list of defaults does nothing but needlessly complicate the > implementation. How is the hash function supposed to determine which > of the list of defaults to use? Let the application layer choose, and > pass it in. The current PASSWORD_DEFAULT lives for the sole reason > that it auto-updates to indicate the most secure algorithm available. > > Anthony > --20cf3074d5b8ca950604c46724c5--