Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61889 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50597 invoked from network); 31 Jul 2012 12:33:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 12:33:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=jbondc@openmv.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=jbondc@openmv.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain openmv.com from 64.15.152.204 cause and error) X-PHP-List-Original-Sender: jbondc@openmv.com X-Host-Fingerprint: 64.15.152.204 mail.ca.gdesolutions.com Received: from [64.15.152.204] ([64.15.152.204:61956] helo=mail.ca.gdesolutions.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6E/6B-00342-E70D7105 for ; Tue, 31 Jul 2012 08:33:04 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id 733FC5DB4; Tue, 31 Jul 2012 08:33:00 -0400 (EDT) X-Virus-Scanned: amavisd-new at gdesolutions.com Received: from mail.ca.gdesolutions.com ([127.0.0.1]) by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id my-v7XNCB8iz; Tue, 31 Jul 2012 08:32:59 -0400 (EDT) Received: from djbondc (modemcable166.116-70-69.static.videotron.ca [69.70.116.166]) by mail.ca.gdesolutions.com (Postfix) with ESMTPSA id 6E7995DAF; Tue, 31 Jul 2012 08:32:59 -0400 (EDT) To: "'Anthony Ferrara'" Cc: References: <4FFF1831.8070902@sugarcrm.com> In-Reply-To: Date: Tue, 31 Jul 2012 08:32:56 -0400 Message-ID: <005101cd6f18$9da38510$d8ea8f30$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac1gXRQn1beTS1lUQhKjNaTg6aUcUAOt2zhA Content-Language: en-ca Subject: RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: jbondc@openmv.com ("Jonathan Bond-Caron") On Thu Jul 12 02:34 PM, Anthony Ferrara wrote: > > > https://wiki.php.net/rfc/password_hash -- password_hash() password_hash_rfc(string $password, int $algo, array $options = array()) My personal opinion is the api should be: password_hash(string $password, string $secret = '', array $options = array()); where $options['method'] = PASSWORD_METHOD_BCRYPT; Some people mentioned that the method/algorithm in should be the api? What was the problem if crypt() stores the actual method/algorithm in the hash? Using this api, we let crypt() should a random salt value and we pick our secret. Say you have: define('MY_HASHING_SECRET', 'hhtrg54~%$%4....long'); $password = '1234'; password_hash_rfc($password . MY_HASHING_SECRET, PASSWORD_METHOD_BCRYPT); password_hash($password, MY_HASHING_SECRET); Note here that in both cases we let crypt() generate a random salt that is different for every password and store in the password. But our 'secret' that is appended to every password is not stored in a database for example, it's in some ways similar to a private key. -- password_make_salt() I would remove the need for this function. I think it's important the api emphasizes the importance of keeping a 'secret' + has the added value that every password hash is different with a crypt() salt. Thoughts?