Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61891 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56841 invoked from network); 31 Jul 2012 13:25:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jul 2012 13:25:23 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:33070] helo=mail-qc0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BC/AC-00342-2CCD7105 for ; Tue, 31 Jul 2012 09:25:22 -0400 Received: by qcmt36 with SMTP id t36so4265338qcm.29 for ; Tue, 31 Jul 2012 06:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HmQUBebpo3gUh1LEoHEUCTaJPSD69E5yLetg4WWeXEo=; b=DiIWK+eMeA7nxIGOeNdhxE0h7OrEpiGiAXnrKoD9e+Ajo9PMrw9sx4/OUxKnEXbqdG 3dSrISTi9kBVvJ2wo/6K8EkmXK67Uu3KI5SAxtvZPyA64lMTDtZbbUJPwB1Mlsg7qD/Y WPzl3oWbCRDSKbEw9sKGY+39AxAtipGvvwPoeX53I5rf2CmpmLUN4YrD8YUcXjR5d09u U7KjvTfzPsL/Q/BrttUUu0Da6R+NgayBilrq212+FWQqT+gkXF7zOBGq8AMUz3oqMNd+ 1Mkll0Qm8ohk/nBPRPwLB5YXR0m93TvkKJdC1HtaSgVMyXUN4cOh/BUrcwBqPDMSxvNV 0M4w== MIME-Version: 1.0 Received: by 10.229.136.130 with SMTP id r2mr7373826qct.132.1343741119245; Tue, 31 Jul 2012 06:25:19 -0700 (PDT) Received: by 10.229.182.4 with HTTP; Tue, 31 Jul 2012 06:25:19 -0700 (PDT) In-Reply-To: <005101cd6f18$9da38510$d8ea8f30$@com> References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> Date: Tue, 31 Jul 2012 09:25:19 -0400 Message-ID: To: Jonathan Bond-Caron Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=00248c768f92152f9404c6201c6c Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: ircmaxell@gmail.com (Anthony Ferrara) --00248c768f92152f9404c6201c6c Content-Type: text/plain; charset=ISO-8859-1 Jonathan, On Tue, Jul 31, 2012 at 8:32 AM, Jonathan Bond-Caron wrote: > On Thu Jul 12 02:34 PM, Anthony Ferrara wrote: > > > > > https://wiki.php.net/rfc/password_hash > > > -- password_hash() > > password_hash_rfc(string $password, int $algo, array $options = array()) > > My personal opinion is the api should be: > > password_hash(string $password, string $secret = '', array $options = > array()); > > where $options['method'] = PASSWORD_METHOD_BCRYPT; > > Some people mentioned that the method/algorithm in should be the api? What > was the problem if crypt() stores the actual method/algorithm in the hash? > > Using this api, we let crypt() should a random salt value and we pick our > secret. > > Say you have: > define('MY_HASHING_SECRET', 'hhtrg54~%$%4....long'); > $password = '1234'; > > password_hash_rfc($password . MY_HASHING_SECRET, PASSWORD_METHOD_BCRYPT); > password_hash($password, MY_HASHING_SECRET); > > Note here that in both cases we let crypt() generate a random salt that is > different for every password and store in the password. > > But our 'secret' that is appended to every password is not stored in a > database for example, it's in some ways similar to a private key. > Please see this section of the RFC: https://wiki.php.net/rfc/password_hash#the_api_does_not_support_pepper > -- password_make_salt() > > I would remove the need for this function. > > I think it's important the api emphasizes the importance of keeping a > 'secret' + has the added value that every password hash is different with a > crypt() salt. > > Thoughts? > > > --00248c768f92152f9404c6201c6c--