Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85600 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71962 invoked from network); 31 Mar 2015 19:41:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2015 19:41:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.171 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.212.171 mail-wi0-f171.google.com Received: from [209.85.212.171] ([209.85.212.171:33875] helo=mail-wi0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 20/C2-54064-D78FA155 for ; Tue, 31 Mar 2015 14:41:51 -0500 Received: by wixo5 with SMTP id o5so15262716wix.1 for ; Tue, 31 Mar 2015 12:41:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=z/h0StqWvnCq94XELO65FtCTftPpVNnGxv4SwJJQCDg=; b=e8AWkTjHg0UHNXzWhVAHtbNiXIH730k0byUQCBFVovUgJct/2dE9PB5H+bdB+qqLEK 8Ek4pZ7R9uZ8+Y3VbTS7DvYOl2CUqOkh/i77l4jsiy+P3PXRHpgbniOs8/UrvX7bEsOE KBQ/GqMdrBCQV+e5IM20lxXLNfyjVBm3L9qMWSI4Ji6oxj7RhO1ywj3RDxXO804/Ia0v mGS02sUCqvwG+/IKziVMClDVf4k2pXc0xp6w6xLZHXDfvEHdFdL/GbC8aPrJq8wvmEnH +sIp5/WRaqupxbJlg+Dt2vUvQ+rzg/H6FC+1dW6ukOw4GdFfvU6JhJUyKEna9MJS5pan VmHw== MIME-Version: 1.0 X-Received: by 10.180.218.200 with SMTP id pi8mr8358905wic.71.1427830907065; Tue, 31 Mar 2015 12:41:47 -0700 (PDT) Received: by 10.27.85.216 with HTTP; Tue, 31 Mar 2015 12:41:47 -0700 (PDT) In-Reply-To: References: Date: Tue, 31 Mar 2015 21:41:47 +0200 Message-ID: To: Anthony Ferrara Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1135e46203dd7505129aca10 Subject: Re: [PHP-DEV] password_hash() deprecate salt option - thoughts? From: nikita.ppv@gmail.com (Nikita Popov) --001a1135e46203dd7505129aca10 Content-Type: text/plain; charset=UTF-8 On Tue, Mar 31, 2015 at 8:49 PM, Anthony Ferrara wrote: > All, > > Ever since we introduced password_hash() in 5.5, I've been watching > its usage as much as possible. I've setup google alerts and such, as > well as auditing implementations I've found on github to try to > understand how it's used. > > One thing has become abundantly clear to me: the salt option is > dangerous. I've yet to see a single usage of the salt option that has > been even decent. Every usage ranges from bad (passing mt_rand() > output) to dangerous (static strings) to insane (passing the password > as its own salt). > > I've come to the conclusion that I don't think we should allow users > to specify the salt. The crypt() API still exists if users have a need > to generate their own salt. Having it in the simplified API is simply > adding a risk factor without any significant justification. > > So I'd like to hear your thoughts about raising E_DEPRECATED when the > salt option is specified in 7.0, with ultimately removing the option > in a later version. > > Additionally, I know this is after the RFC freeze deadline, so if you > want to postpone the deprecation to 7.1, that's fine. I just think > it's worth discussion (and if there's consensus to put it in 7.0, then > great). > Agree with deprecating the custom salt option and also okay with doing it in 7.0. Nikita --001a1135e46203dd7505129aca10--