Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62924
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57331 invoked from network); 10 Sep 2012 14:31:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Sep 2012 14:31:36 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-lpp01m010-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:62717] helo=mail-lpp01m010-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DA/A2-35669-7C9FD405 for <internals@lists.php.net>; Mon, 10 Sep 2012 10:31:35 -0400
Received: by lahl5 with SMTP id l5so1180350lah.29
        for <internals@lists.php.net>; Mon, 10 Sep 2012 07:31:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ekoQ5DY6BhODKNnDNr2xAkiSXIlg88PQ6/12qcr/OPw=;
        b=bkEqXykSv+HL4jys2lxOF+5tC5TqWkq1Bt8/GotDJt0uoNBdCY0VYf1pDn08iUryrv
         MiERsTyJYHBQrwSOuPZN4tdR5anaxq1bphpkC8DcOSMwPS+rn2Mr9rAiEj3BY2Vuu8+O
         da3uyEBFBF6bztX8RVhagQbDEuDtXZQtVUHAYkq92n/6/23CtiozCL1B3zfw3wyKU8j2
         eTpzu9AmZxpyTFTuHaUeQ57UyieQRRfFyCN9FA6sPEs2gO0ZfkVLBxfiSc6wb4Yu9N5b
         a1Ktt9R3QtgwUwPys/4ZU4etu+3/SduU5yFuw4cfAyRUcxgRMmdGLhMV5U9cB/XQhSz/
         hyEA==
MIME-Version: 1.0
Received: by 10.152.104.146 with SMTP id ge18mr12954700lab.7.1347287492551;
 Mon, 10 Sep 2012 07:31:32 -0700 (PDT)
Received: by 10.114.22.1 with HTTP; Mon, 10 Sep 2012 07:31:32 -0700 (PDT)
In-Reply-To: <CADNQb0USW3j7BWEjvDwOdCKoLy3xVJ8eCRjZ610ekKmTL7R9VQ@mail.gmail.com>
References: <CAAyV7nHZ6Kr7yKF0B-UgauN6eKKxRsqCztP9w9hUzOdiPLHYAw@mail.gmail.com>
	<CADNQb0USW3j7BWEjvDwOdCKoLy3xVJ8eCRjZ610ekKmTL7R9VQ@mail.gmail.com>
Date: Mon, 10 Sep 2012 10:31:32 -0400
Message-ID: <CAAyV7nGA=1pWLj1G+X1EvoNB0jb4ji6oJ2tGZNwXH=CCae_9wA@mail.gmail.com>
To: Hannes Magnusson <hannes.magnusson@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=f46d04083e1367632304c959d04a
Subject: Re: [PHP-DEV] [VOTE] Add simplified password hashing API
From: ircmaxell@gmail.com (Anthony Ferrara)

--f46d04083e1367632304c959d04a
Content-Type: text/plain; charset=ISO-8859-1

Hannes,

On Sun, Sep 9, 2012 at 12:23 PM, Hannes Magnusson <
hannes.magnusson@gmail.com> wrote:

> On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara <ircmaxell@gmail.com>
> wrote:
> > Hello all,
> >
> > I'm opening the vote for the simplified password hashing API indicated
> here:
> >
> > https://wiki.php.net/rfc/password_hash
> >
>
>
> I like the idea, but I don't understand why this isn't developed as an
> extension first and then brought into core when it has proven to work
> and actually simplify things for the user?
>

First off, this has been discussed on the list for literally months.  Why
wait until the day before voting can end before bringing this up?

Secondly, the main reason for not developing this as an extension is that
there's really no benefit to it. There are little to no performance gains
to be had by the C implementation. It can live quite as easily as a PHP
library.

The main reason for putting it in core is so that it's available to
everyone, including people who have no idea to use a library. By putting
notes in the hash, md5, sha1 and crypt documentation pages pointing to this
alternative, hopefully it will make it far easier for novice and people who
don't know any better to securely hash passwords. If you know enough to
understand this problem, you're likely solving it already. But as recent
attacks show, even experienced developers don't understand the problem. So
by putting it in core, we're making a point and making it trivially easy to
do it right. So trivial that it's actually just as hard (if not harder) to
do it wrong.  To that effect, the only way it can be done is to do it in
core...

Especially considering the patch is unfinished.
>

Aside from adding a few more tests, what's unfinished? If you're referring
to the line in the RFC, I just haven't updated it. The patch has been
worked on and is in a place where I'd be comfortable submitting it...

Thanks,

Anthony

--f46d04083e1367632304c959d04a--