Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:85595
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62548 invoked from network); 31 Mar 2015 18:49:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Mar 2015 18:49:29 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.172 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.217.172 mail-lb0-f172.google.com  
Received: from [209.85.217.172] ([209.85.217.172:34303] helo=mail-lb0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 45/F0-54064-83CEA155 for <internals@lists.php.net>; Tue, 31 Mar 2015 13:49:28 -0500
Received: by lboc7 with SMTP id c7so19460405lbo.1
        for <internals@lists.php.net>; Tue, 31 Mar 2015 11:49:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=YFIDH1jfdQYDVJUIpHRXlJLUOevHk6yadWrZ3U97mCw=;
        b=DQW0Nkhfc79ygB6WmVK6P/7LhXUwcFDrZmyAVgaQ5BiCJpxNldy/Z5s9FHaCSGEDPO
         ihrZsYVqBRIFm4qyRJoU5Jq/GzbFgYJ4FcE5Rper1zRslALWEEE5xX5hZOxMv8XzWs30
         5txYuHtUYaTjeVRROeQXsD3L6pzrDCK3yWmiXZEkrdMJvgXjBT+441FFZdWkPu2TQSVD
         RibyjnP6S7GXpVcmZ1Q7IixD39ZO/fo8pU5ptGTJk3dSBVDfDGZXrsSGUGHZ8c2k+lYc
         VfXhTSsK4WUvdQn0RtoMpShHOwtUn4Ah9E58lgG3g+sKmrLLnDpdfCzr16i8zS6RlPkI
         yUxA==
MIME-Version: 1.0
X-Received: by 10.113.4.105 with SMTP id cd9mr30905093lbd.38.1427827764680;
 Tue, 31 Mar 2015 11:49:24 -0700 (PDT)
Received: by 10.25.144.15 with HTTP; Tue, 31 Mar 2015 11:49:24 -0700 (PDT)
Date: Tue, 31 Mar 2015 14:49:24 -0400
Message-ID: <CAAyV7nGRU6J=-VRJ48=U4wNgE9vpk2k3fvz9MLnC2-VoCsyGRw@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: password_hash() deprecate salt option - thoughts?
From: ircmaxell@gmail.com (Anthony Ferrara)

All,

Ever since we introduced password_hash() in 5.5, I've been watching
its usage as much as possible. I've setup google alerts and such, as
well as auditing implementations I've found on github to try to
understand how it's used.

One thing has become abundantly clear to me: the salt option is
dangerous. I've yet to see a single usage of the salt option that has
been even decent. Every usage ranges from bad (passing mt_rand()
output) to dangerous (static strings) to insane (passing the password
as its own salt).

I've come to the conclusion that I don't think we should allow users
to specify the salt. The crypt() API still exists if users have a need
to generate their own salt. Having it in the simplified API is simply
adding a risk factor without any significant justification.

So I'd like to hear your thoughts about raising E_DEPRECATED when the
salt option is specified in 7.0, with ultimately removing the option
in a later version.

Additionally, I know this is after the RFC freeze deadline, so if you
want to postpone the deprecation to 7.1, that's fine. I just think
it's worth discussion (and if there's consensus to put it in 7.0, then
great).

Thanks,

Anthony