Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:62974 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12662 invoked from network); 13 Sep 2012 11:49:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Sep 2012 11:49:22 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com Received: from [209.85.217.170] ([209.85.217.170:34641] helo=mail-lb0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6E/7B-34511-148C1505 for ; Thu, 13 Sep 2012 07:49:21 -0400 Received: by lbbgp3 with SMTP id gp3so1948209lbb.29 for ; Thu, 13 Sep 2012 04:49:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I2GI0duxaFrW05PSuOW882VP/tBjFNMSeb649+8lD7U=; b=oVTGISuyMXKcHktNzrpdYwQOiRYt2a/t5N1AbB5KobjgGXLR5UVa4YV6vSD7iL57TY k3ChdYLS+m87SbB0sHo/fJjkajBjCQYfSa2V4CWpqPmXo2xfVaSEe123G718HtuXjbCL 2DgSvyU1C6D5oZ8ymu/VGFCUEZDYXUNQ4KPZyHnqnTKu8TnvzrrXeSzN1UhZRkQz4nZQ u6E2djZnmwnyJrMmPV1YlYz3ubKkW8lCybtucP2lyIR5eaBmB8ekc/oBILsxfqyFyPFu 3ngIEbiTKn5aa4P4i5EXkdl7A6zyfXoUfzom/CzAOa7Ln/fMgVeNjwrIZaj2ikFpXzmQ oBPw== MIME-Version: 1.0 Received: by 10.152.144.168 with SMTP id sn8mr1723449lab.1.1347536957346; Thu, 13 Sep 2012 04:49:17 -0700 (PDT) Received: by 10.114.22.1 with HTTP; Thu, 13 Sep 2012 04:49:17 -0700 (PDT) In-Reply-To: References: Date: Thu, 13 Sep 2012 07:49:17 -0400 Message-ID: To: Nicolas Grekas Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=e89a8f234687aa134304c993e5b8 Subject: Re: [PHP-DEV] How about adding PHPass compatibility to the password hashing API From: ircmaxell@gmail.com (Anthony Ferrara) --e89a8f234687aa134304c993e5b8 Content-Type: text/plain; charset=ISO-8859-1 Nicolas: On Thu, Sep 13, 2012 at 7:33 AM, Nicolas Grekas < nicolas.grekas+php@gmail.com> wrote: > Hi, > > What do you think about adding PHPass compatibility to the password hashing > API ? > We could add two new algos : PASSWORD_MD5 and PASSWORD_EXT_DES. > That way, existing password crypted using phpass ($P$*, $H$*, _* prefix) > could be verified using the password hashing API. > PHPass implementation could then be merged with > https://github.com/ircmaxell/password_compat to provide a forward > compatible PHP Implementation for users without PHP5.5. > The way password_verify is implemented, it can use any crypt(3) generated hash for verification. It's just a proxy to crypt() with a few extra checks (it won't verify STD_DES, as it's too short). With respect to adding those algorithms for generating hashes, I'm 100% dead set against it. Both are significantly weaker algorithms than BCrypt. I'd rather have this API only contain strong algorithms. As far as merging PHPASS, I don't really see the reason either. It's a weaker algorithm (by a long shot). And it's not really tested as an algorithm outside of the PHP community. For versions < 5.3, it's better than what's trivially available (though PBKDF2 + SHA2 is significantly better, and easily implementable in 5.2). But for 5.3+ there are a number of algorithms available that are significantly stronger (SHA256, SHA512, BCRYPT). The last thing I want to happen is to give the user the ability to make a bad choice without knowing any better (which is why BCRYPT is the only option so far). If you want to support PHPASS passwords, just write a quick wrapper that checks the prefix, and if it's PHPASS, hash it with PHPASS, then upgrade the hash. It's not that difficult to implement... Anthony --e89a8f234687aa134304c993e5b8--