Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61890 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52856 invoked from network); 31 Jul 2012 13:08:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 13:08:11 -0000 Authentication-Results: pb1.pair.com smtp.mail=jbondc@openmv.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=jbondc@openmv.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain openmv.com from 64.15.152.204 cause and error) X-PHP-List-Original-Sender: jbondc@openmv.com X-Host-Fingerprint: 64.15.152.204 mail.ca.gdesolutions.com Received: from [64.15.152.204] ([64.15.152.204:56797] helo=mail.ca.gdesolutions.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C8/CB-00342-9B8D7105 for ; Tue, 31 Jul 2012 09:08:10 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id 24DFE5DB4; Tue, 31 Jul 2012 09:08:07 -0400 (EDT) X-Virus-Scanned: amavisd-new at gdesolutions.com Received: from mail.ca.gdesolutions.com ([127.0.0.1]) by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sv2+gSuKvrZ2; Tue, 31 Jul 2012 09:08:01 -0400 (EDT) Received: from djbondc (modemcable166.116-70-69.static.videotron.ca [69.70.116.166]) by mail.ca.gdesolutions.com (Postfix) with ESMTPSA id 8A44A5DAF; Tue, 31 Jul 2012 09:08:01 -0400 (EDT) To: "'Jonathan Bond-Caron'" , "'Anthony Ferrara'" Cc: References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> In-Reply-To: <005101cd6f18$9da38510$d8ea8f30$@com> Date: Tue, 31 Jul 2012 09:07:58 -0400 Message-ID: <006001cd6f1d$82906bd0$87b14370$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac1gXRQn1beTS1lUQhKjNaTg6aUcUAOt2zhAAAIOnfA= Content-Language: en-ca Subject: RE: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: jbondc@openmv.com ("Jonathan Bond-Caron") > Say you have: > define('MY_HASHING_SECRET', 'hhtrg54~%$%4....long'); $password = > '1234'; > > password_hash_rfc($password . MY_HASHING_SECRET, > PASSWORD_METHOD_BCRYPT); password_hash($password, MY_HASHING_SECRET); > > Note here that in both cases we let crypt() generate a random salt that > is different for every password and store in the password. > > But our 'secret' that is appended to every password is not stored in a > database for example, it's in some ways similar to a private key. > > -- password_make_salt() > Another comment about this, the 'secret' in this case in somewhat similar the 'purpose' of the salt: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf S = purpose || rv P = password What I'm proposing is: S = rv (random value from crypt) P = password || purpose In the end, it's the same thing we're feeding into the hash (more data/bits) Whatever api is used, I think it's important to allow appending this purpose or secret that's not stored directly in the final crypt() hash.