Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86121
Return-Path: <cmbecker69@gmx.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92635 invoked from network); 5 May 2015 20:37:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2015 20:37:23 -0000
Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.21 as permitted sender)
X-PHP-List-Original-Sender: cmbecker69@gmx.de
X-Host-Fingerprint: 212.227.17.21 mout.gmx.net  
Received: from [212.227.17.21] ([212.227.17.21:51054] helo=mout.gmx.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 68/22-07789-CF929455 for <internals@lists.php.net>; Tue, 05 May 2015 16:37:21 -0400
Received: from [192.168.0.101] ([88.134.68.210]) by mail.gmx.com (mrgmx103)
 with ESMTPSA (Nemesis) id 0MBWIM-1Z09i30nxO-00AYbn for
 <internals@lists.php.net>; Tue, 05 May 2015 22:37:13 +0200
Message-ID: <554929FC.1010807@gmx.de>
Date: Tue, 05 May 2015 22:37:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: internals@lists.php.net
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID:  V03:K0:m2BOwWkJV/XFwFgxdYoIDQe5PfFki1FTEfsOsHVZQF2ZTi7ISa2
 J2ZnTYvpl332+e7gabl+iKna13xpTYowxf8V911k/n/ahNcrGMA5CHlGwtL7PQC2xxRCtbM
 IYA2KbAMTd8gCbsKTDI8qNZ5QA1sJwPImzn+Dn64jFwYpgIIVDPvIy1UNP/UItn/34BE7oa
 zCpGzvymjTknqBDR27igw==
X-UI-Out-Filterresults: notjunk:1;
Subject: password_hash() best practices
From: cmbecker69@gmx.de (Christoph Becker)

Hi everybody!

In issue #64816[1] the OP suggests in the comment from [2015-05-05 04:34
UTC] that hash_pbkdf2() should be recommended for advanced users, and
that password_hash() should use PBKDF2 with at least 128,000 rounds.

The "Adding simple password hashing API" RFC[2] mentions in the "Future
concerns" section that new hash algorithms may be introduced, and that
the default algorithm as well as the default cost may be changed.
According to the "Updating PASSWORD_DEFAULT" section[3] changing the
default algorithm for PHP 7.0 is not possible anymore, but it might be
considered to add support for PBKDF2, and to increase the cost of the
CRYPT_BLOWFISH algorithm.

Thoughts?

[1] <https://bugs.php.net/bug.php?id=64816>
[2] <https://wiki.php.net/rfc/password_hash#future_concerns>
[3] <https://wiki.php.net/rfc/password_hash#updating_password_default>

-- 
Christoph M. Becker