Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61941 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24352 invoked from network); 1 Aug 2012 18:55:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Aug 2012 18:55:57 -0000 Authentication-Results: pb1.pair.com header.from=alex.aulbach@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=alex.aulbach@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: alex.aulbach@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gg0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:65058] helo=mail-gg0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 84/11-32875-DBB79105 for ; Wed, 01 Aug 2012 14:55:57 -0400 Received: by ggnf2 with SMTP id f2so8757573ggn.29 for ; Wed, 01 Aug 2012 11:55:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=7Bp9MCJFnHVKAe0lZixCIdH35fD1isQnShz4TPu9DDg=; b=CPWrHaI2VIoSU22038SnEwGJ2NFX2MpBhMENTmKRAo88J0QghrRbr1I96tGnkxHaOR isJnL1qodIvHnCLyac8JIOmxFlMtWXbez0nOiDiSfMiSKsnvew174im+v492hj6JxvPe XG51Pb7r5i7E1ck2zmsnwEbR5fHL5sbjTFDH8GpKw3sqVot4Jv+/3CfoeXlagmrsPSIh 6fZuLmErrl7SBiTlWfpgBvHKTpUxI6Ced74se+azceJ4mJ+kczeIAfezJ68oHz1qMkP4 y67WdCUsoR8dmiEna2QqT2CTz/eHfvGRQDlj/urI+Fi5JZ8rlcISScaFmLaUwNFKrELX R9DQ== MIME-Version: 1.0 Received: by 10.42.69.209 with SMTP id c17mr279773icj.29.1343847354894; Wed, 01 Aug 2012 11:55:54 -0700 (PDT) Received: by 10.64.44.234 with HTTP; Wed, 1 Aug 2012 11:55:53 -0700 (PDT) In-Reply-To: <50197136.7040401@gmail.com> References: <4FFF1831.8070902@sugarcrm.com> <005101cd6f18$9da38510$d8ea8f30$@com> <009401cd6f28$b71c69c0$25553d40$@com> <00b701cd6f35$b2d621a0$188264e0$@com> <50197136.7040401@gmail.com> Date: Wed, 1 Aug 2012 20:55:53 +0200 Message-ID: To: =?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?= Cc: Peter Lind , Anthony Ferrara , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: alex.aulbach@gmail.com (Alex Aulbach) 2012/8/1 =C1ngel Gonz=E1lez : > I'd go with the hashing. I'd would however produce a slightly different > prefix > than with bare bcrypt. Like that. And I thought some about it. Currently, there is no real need for that. And no one is hindered to implement his own version-information into it. But to do this right, there is a lack of information. This brought me to an good idea: a constant PASSWORD_VERSION The current version-number of password-functions. You're free to store this information with the hash (e. g. '$$' . PASSWORD_VERSION . password_hash()..., of course remove it before verify!). Every change (new algorithms etc) will increment the version. This can help to detect the case when in version 79 bcrypt is removed because too insecure/too old. As said, currently not needed, but if someone likes to, here it is. :) --=20 Alex Aulbach