Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86123 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41254 invoked from network); 6 May 2015 07:35:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 May 2015 07:35:41 -0000 Authentication-Results: pb1.pair.com header.from=leafnode@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leafnode@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.178 as permitted sender) X-PHP-List-Original-Sender: leafnode@gmail.com X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com Received: from [209.85.212.178] ([209.85.212.178:34044] helo=mail-wi0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B7/90-35866-A44C9455 for ; Wed, 06 May 2015 03:35:39 -0400 Received: by wicmx19 with SMTP id mx19so118346357wic.1 for ; Wed, 06 May 2015 00:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XACgyAEWipl47hGRwNA3HAnRURAcTKVi3FzFMznbpnY=; b=ShyiuudhU8HDTGK7V9dPrm38ZvGU54sq2HMxWoL/yhhFvhIg7zIFQ2eIumSkQRGqDM Oned0xr68XML6rczpxiVl7QpDzBmCkmOPFXfSg2+jfurb8Ovph3TF3cy/1wshSu5+mtC DZnQYiz+EJrQuUuBi1Ixa5zbjPzr/VsRoi+xg+zhl4hu85RzN71m/aDXP64CIbdUKNjM zkQMhM7V9CDcP83uJ8TVFAfyTPAbcSKfXs/yXZmKytxwWqR6MMIHgQO13pdB0gknPnQO Re6wWhZI3AQK8Ojse9CDDNMzvkcmsGb1EpYYzKCSD2dbTFxw88+BqvQRcYSfvBn2L3R+ BseQ== MIME-Version: 1.0 X-Received: by 10.194.249.201 with SMTP id yw9mr60057374wjc.5.1430897735834; Wed, 06 May 2015 00:35:35 -0700 (PDT) Received: by 10.28.152.14 with HTTP; Wed, 6 May 2015 00:35:35 -0700 (PDT) In-Reply-To: <554929FC.1010807@gmx.de> References: <554929FC.1010807@gmx.de> Date: Wed, 6 May 2015 09:35:35 +0200 Message-ID: To: Christoph Becker Cc: =?UTF-8?Q?Leszek_Krupi=C5=84ski?= Content-Type: multipart/alternative; boundary=001a11c285a84121af051564d787 Subject: Re: [PHP-DEV] password_hash() best practices From: leafnode@gmail.com (Leszek Krupinski) --001a11c285a84121af051564d787 Content-Type: text/plain; charset=UTF-8 While I agree that the statement "bcrypt is better than PBKDF2, thus only bcrypt should be used" is difficult to defend, I think saying "bcrypt is a homegrown solution, only PBKDF2 is a good way to do it" is also wrong and OP is opinionated. IMO - docs should describe alternatives, without statements "X is better than Y", but we also should include PBKDF2 as an option for password_hash() - PHP7 is (theoretically, apparently) closed for new features, but we should target the next possible version. I'm not sure if we should opt for changing the default. Regarding iteration count: (again, IMO) 1024 is a bit low, but 128000 as a default for everyone might be a bit too much. --Leszek On Tue, May 5, 2015 at 10:37 PM, Christoph Becker wrote: > Hi everybody! > > In issue #64816[1] the OP suggests in the comment from [2015-05-05 04:34 > UTC] that hash_pbkdf2() should be recommended for advanced users, and > that password_hash() should use PBKDF2 with at least 128,000 rounds. > > The "Adding simple password hashing API" RFC[2] mentions in the "Future > concerns" section that new hash algorithms may be introduced, and that > the default algorithm as well as the default cost may be changed. > According to the "Updating PASSWORD_DEFAULT" section[3] changing the > default algorithm for PHP 7.0 is not possible anymore, but it might be > considered to add support for PBKDF2, and to increase the cost of the > CRYPT_BLOWFISH algorithm. > > Thoughts? > > [1] > [2] > [3] > > -- > Christoph M. Becker > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --001a11c285a84121af051564d787--