Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61187 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40523 invoked from network); 12 Jul 2012 18:32:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Jul 2012 18:32:50 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.42 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.42 mail-qa0-f42.google.com Received: from [209.85.216.42] ([209.85.216.42:50933] helo=mail-qa0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 05/06-11045-2581FFF4 for ; Thu, 12 Jul 2012 14:32:50 -0400 Received: by qafi31 with SMTP id i31so4491726qaf.8 for ; Thu, 12 Jul 2012 11:32:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IGhiIdOTKvYWRWbEUqo+M9P3ljR374jusYQv8vmRZdc=; b=xnXHaryz/ejVgGytianXeT9HptKh+Q9iOlXGg1qeK8ITwFE97h+UOpGaopb0mWEt5h UZ1tW8nGKk0o2pNxuPtGGENxRqdxvVT7VbrnwJpNF/O3SuhXiWqWFSmpWNfCv5Lj1s42 zQ6yfENeonuTnZ/48bJlseClKhW1SNR7CrebPB1GmsADcy46TY33W0RVAoCcE1btwFp/ /RpALLAu3Ze71FrVb0KOafqAMuHxa9l8YIFi63t31IqkbIP6ocWX6jz5StBbMaPIL189 F7w+sMoqZrBuDwBVOH2mPn80IAFNuXkpbCdd11KZmnTDfqutD1Y269b6pHm25EJ07p0z fMPQ== MIME-Version: 1.0 Received: by 10.224.59.212 with SMTP id m20mr6241569qah.35.1342117967585; Thu, 12 Jul 2012 11:32:47 -0700 (PDT) Received: by 10.229.232.11 with HTTP; Thu, 12 Jul 2012 11:32:47 -0700 (PDT) In-Reply-To: References: Date: Thu, 12 Jul 2012 14:32:47 -0400 Message-ID: To: Pierre Joye Cc: Richard Lynch , internals@lists.php.net Content-Type: multipart/alternative; boundary=20cf3074d5b8b4629804c4a63021 Subject: Re: [PHP-DEV] [DRAFT RFC] Adding Simplified Password Hashing API From: ircmaxell@gmail.com (Anthony Ferrara) --20cf3074d5b8b4629804c4a63021 Content-Type: text/plain; charset=ISO-8859-1 Pierre, > I've added a pair of new functions to the RFC and implementation: > > > > password_needs_rehash($hash, $algo, array $options = array()) > > Not totally convinced about that one. I'm not either. That's why I added the discussion point around it. I can see it going either way. > I would prefer a password_rehash > instead, then a simple comparison is needed to know if an update is > necessary or not. > > > password_get_info($hash) > > Soungs good, to get all the details about the given hash. The *only* problem with this is what happens if the options array contains unused variables for an algorithm. Say we implement scrypt, and there's an R variable in the array. If we check a bcrypt algorithm hash (with PASSWORD_BCRYPT specifically), if the array contains "R", it could throw a red herring indicating an un-necessary re-hash. So there's some algorithmic specific information that needs to be compared. Thereby making a "needs_rehash" function in userland non-trivial. It's still not complex, but it's not trivial either. Part of me wants to see it as it would be maintained over the years as new algorithms are introduced, and hence can compensate for other things that implementing it in userland can't.... In other words, I'm not sure either way... Anthony --20cf3074d5b8b4629804c4a63021--