Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85597 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65745 invoked from network); 31 Mar 2015 18:58:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2015 18:58:14 -0000 Authentication-Results: pb1.pair.com header.from=bowersbros@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=bowersbros@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.174 as permitted sender) X-PHP-List-Original-Sender: bowersbros@gmail.com X-Host-Fingerprint: 209.85.212.174 mail-wi0-f174.google.com Received: from [209.85.212.174] ([209.85.212.174:36347] helo=mail-wi0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 85/A1-54064-54EEA155 for ; Tue, 31 Mar 2015 13:58:13 -0500 Received: by wixo5 with SMTP id o5so24588964wix.1 for ; Tue, 31 Mar 2015 11:58:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9uSSsGW0B5E42/nvEhMHFuFnjd/gcZm+HFjK7lAmQQY=; b=qT+cPY4FCkDmiGtU+DIV4S2nbZP/Q0UQArV1qM3JwqPf+EJNY4aQfecNCVP33IDxb7 b9bjwsAdtxcOiIvqHuO/Bg6nlUUlkI/H9MYSRzQUWLMxoramU5JeFJjOCeNduiS9lU+J dn7CnaIZ1JdQfTkn8fs56cPEYY8tsGLk9kWviUCXFMvTsyS1tQKcpvtIt1Akf7yi1zbn dDHAeboVkdk0RxE2z/fHorQUsmUbP6wbgicM9QRloy9sTfsMXLvwn7itaXJppTGE2+KB 1E+/UEUY8Swgfk+7FB9cUluO9utx8OwpiUp4wYlXihEzXZKw0mXGxsEidpm446cDnuyE oNxQ== MIME-Version: 1.0 X-Received: by 10.194.221.100 with SMTP id qd4mr74673662wjc.113.1427828290369; Tue, 31 Mar 2015 11:58:10 -0700 (PDT) Received: by 10.28.62.84 with HTTP; Tue, 31 Mar 2015 11:58:10 -0700 (PDT) In-Reply-To: References: Date: Tue, 31 Mar 2015 19:58:10 +0100 Message-ID: To: Anthony Ferrara Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c3aa740c3f8805129a2e4c Subject: Re: [PHP-DEV] password_hash() deprecate salt option - thoughts? From: bowersbros@gmail.com (Alex Bowers) --001a11c3aa740c3f8805129a2e4c Content-Type: text/plain; charset=UTF-8 I think deprecating it is a good idea, and looking at the documentation it does mention that not providing it is the intended option; so it isn't a complete surprise for it to become deprecated. On 31 March 2015 at 19:49, Anthony Ferrara wrote: > All, > > Ever since we introduced password_hash() in 5.5, I've been watching > its usage as much as possible. I've setup google alerts and such, as > well as auditing implementations I've found on github to try to > understand how it's used. > > One thing has become abundantly clear to me: the salt option is > dangerous. I've yet to see a single usage of the salt option that has > been even decent. Every usage ranges from bad (passing mt_rand() > output) to dangerous (static strings) to insane (passing the password > as its own salt). > > I've come to the conclusion that I don't think we should allow users > to specify the salt. The crypt() API still exists if users have a need > to generate their own salt. Having it in the simplified API is simply > adding a risk factor without any significant justification. > > So I'd like to hear your thoughts about raising E_DEPRECATED when the > salt option is specified in 7.0, with ultimately removing the option > in a later version. > > Additionally, I know this is after the RFC freeze deadline, so if you > want to postpone the deprecation to 7.1, that's fine. I just think > it's worth discussion (and if there's consensus to put it in 7.0, then > great). > > Thanks, > > Anthony > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --001a11c3aa740c3f8805129a2e4c--