Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:85602
Return-Path: <nicoswd@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76109 invoked from network); 31 Mar 2015 20:02:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Mar 2015 20:02:31 -0000
Authentication-Results: pb1.pair.com header.from=nicoswd@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nicoswd@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.41 as permitted sender)
X-PHP-List-Original-Sender: nicoswd@gmail.com
X-Host-Fingerprint: 74.125.82.41 mail-wg0-f41.google.com  
Received: from [74.125.82.41] ([74.125.82.41:34380] helo=mail-wg0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/73-54064-65DFA155 for <internals@lists.php.net>; Tue, 31 Mar 2015 15:02:31 -0500
Received: by wgbdm7 with SMTP id dm7so31385590wgb.1
        for <internals@lists.php.net>; Tue, 31 Mar 2015 13:02:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=content-type:mime-version:subject:from:in-reply-to:date
         :content-transfer-encoding:message-id:references:to;
        bh=zdIqKYBfkw7XDTOFZgvYReVcgrlsnUAZ21t8jtbBZaA=;
        b=MhAUfEZAqKq7YrNxMh/JwkhnI2XqDNXSJuNg2aoEm6HutXaxamIDFWOdTz1AOo29er
         TLhH+DVrWYp0pDfIQI7FVxBoo/FWw8ABoVWp/pxNsGq252aMVhp5onqca8XdCNAasypz
         ZActK+OJACbrEzTFHC01QpyXGVhOIrjlOijK5qDxIPKJ9bNqIx0uFnnGB1a6aVpULrB9
         fQ6NStKdXFJBipY/aK+gfEs1mR3mZdwonwwTNEgpVFOaPz2viSjes6Am7eEwH03YhPJM
         AIfh2a35X5vMZqVuI1Bf0H0S1lKjRT/xy3oT9nbgKHPDaMQD3dl/YSDg5KQHtaT+nRb9
         B8Fw==
X-Received: by 10.194.62.198 with SMTP id a6mr78074099wjs.90.1427832148275;
        Tue, 31 Mar 2015 13:02:28 -0700 (PDT)
Received: from [192.168.1.136] (81.184.121.75.dyn.user.ono.com. [81.184.121.75])
        by mx.google.com with ESMTPSA id ch6sm21759512wjc.3.2015.03.31.13.02.27
        for <internals@lists.php.net>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 31 Mar 2015 13:02:27 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1974.6\))
In-Reply-To: <551AF662.3070008@gmx.de>
Date: Tue, 31 Mar 2015 22:02:26 +0200
Content-Transfer-Encoding: quoted-printable
Message-ID: <E58E5328-F365-47CD-806B-3E7DFCAFD53E@gmail.com>
References: <CAAyV7nGRU6J=-VRJ48=U4wNgE9vpk2k3fvz9MLnC2-VoCsyGRw@mail.gmail.com> <0CB1052E-0245-406D-8CF0-83E0D75CD049@gmail.com> <551AF662.3070008@gmx.de>
To: internals@lists.php.net
X-Mailer: Apple Mail (2.1974.6)
Subject: Re: [PHP-DEV] password_hash() deprecate salt option - thoughts?
From: nicoswd@gmail.com (Nico)


> On 31 Mar 2015, at 21:32, Christoph Becker <cmbecker69@gmx.de> wrote:
>=20
> Nicolas Oelgart wrote:
>=20
>>> On 31 Mar 2015, at 20:49, Anthony Ferrara <ircmaxell@gmail.com> =
wrote:
>>>=20
>>> So I'd like to hear your thoughts about raising E_DEPRECATED when =
the
>>> salt option is specified in 7.0, with ultimately removing the option
>>> in a later version.
>>=20
>> +1
>>=20
>> I'd even go as far as adding a big red warning about custom salts to =
the manual page.=20
>=20
> FWIW, there is already the following note:
>=20
> | Caution It is strongly recommended that you do not generate your own
> | salt for this function. It will create a secure salt automatically
> | for you if you do not specify one.
>=20
> --=20
> Christoph M. Becker
>=20

Yeah, I=E2=80=99m aware. But I don=E2=80=99t think it=E2=80=99s enough. =
I=E2=80=99d suggest moving it further to the top, and making it red. As =
Anthony=E2=80=99s research shows, the current note is not enough. People =
are still doing it wrong.

=E2=80=94
Nico=