Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85606 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83570 invoked from network); 31 Mar 2015 20:32:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Mar 2015 20:32:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.52 as permitted sender) X-PHP-List-Original-Sender: dragoonis@gmail.com X-Host-Fingerprint: 209.85.192.52 mail-qg0-f52.google.com Received: from [209.85.192.52] ([209.85.192.52:32785] helo=mail-qg0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/D4-54064-8640B155 for ; Tue, 31 Mar 2015 15:32:40 -0500 Received: by qgfa8 with SMTP id a8so25757089qgf.0 for ; Tue, 31 Mar 2015 13:32:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=b2c77sPh9coOv/bI++4QylG3hGM7t5zAG5UtcoS0mpU=; b=TMM4fxCWyjF1aawWZwABwb2y8YkrnbTqbN/Bu8b7yB9KVmFuXsSi3qYKPePcXZRoCr et5QI0DFzkVJ3XKkhMN03t9j3D1AtpCkhgDvuhtsJRupRBlRDEXu+Fe/52ZNmgeQPI5W ui0QrJTyYGNRSXCaTAABmV9i39LTpO3FYh9KCJb7nxxp7kvhhw/JGFIyEpbLhqJOvkes 1RdpIbsPKOaG5wmqc0dajLIF60oZKe3nO6pfKk3tgrma1Ijqmr9l4GhL0rA6Bp7pGuwN sfnQCTrTTTQZkbM2covUNTZLDheO+ZW2OH93Y+eInA0SfbFsVfzjuRBURNnFhpcVBoyJ Wxrw== MIME-Version: 1.0 X-Received: by 10.55.51.13 with SMTP id z13mr28707385qkz.73.1427833957854; Tue, 31 Mar 2015 13:32:37 -0700 (PDT) Received: by 10.229.232.198 with HTTP; Tue, 31 Mar 2015 13:32:37 -0700 (PDT) In-Reply-To: References: Date: Tue, 31 Mar 2015 21:32:37 +0100 Message-ID: To: Anthony Ferrara Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1146fec6dbf28905129b7ffb Subject: Re: [PHP-DEV] password_hash() deprecate salt option - thoughts? From: dragoonis@gmail.com (Paul Dragoonis) --001a1146fec6dbf28905129b7ffb Content-Type: text/plain; charset=UTF-8 On Tue, Mar 31, 2015 at 7:49 PM, Anthony Ferrara wrote: > All, > > Ever since we introduced password_hash() in 5.5, I've been watching > its usage as much as possible. I've setup google alerts and such, as > well as auditing implementations I've found on github to try to > understand how it's used. > > One thing has become abundantly clear to me: the salt option is > dangerous. I've yet to see a single usage of the salt option that has > been even decent. Every usage ranges from bad (passing mt_rand() > output) to dangerous (static strings) to insane (passing the password > as its own salt). > > I've come to the conclusion that I don't think we should allow users > to specify the salt. The crypt() API still exists if users have a need > to generate their own salt. Having it in the simplified API is simply > adding a risk factor without any significant justification. > > So I'd like to hear your thoughts about raising E_DEPRECATED when the > salt option is specified in 7.0, with ultimately removing the option > in a later version. > > Additionally, I know this is after the RFC freeze deadline, so if you > want to postpone the deprecation to 7.1, that's fine. I just think > it's worth discussion (and if there's consensus to put it in 7.0, then > great). > > Thanks, > > Anthony > No objections here. You're going with your gut on this and it seems like a good call. We did make a freeze and although I'd like it in 7.0 we should probably stick to our process here and put it in 7.1. To be fair, there's always a quick *.1 release anyway once we find real-world bugs that need patching quickly ;-) > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > --001a1146fec6dbf28905129b7ffb--