Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86129 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36243 invoked from network); 7 May 2015 05:44:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2015 05:44:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=leafnode@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leafnode@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.178 as permitted sender) X-PHP-List-Original-Sender: leafnode@gmail.com X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com Received: from [209.85.212.178] ([209.85.212.178:35417] helo=mail-wi0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1D/48-13398-2BBFA455 for ; Thu, 07 May 2015 01:44:18 -0400 Received: by widdi4 with SMTP id di4so227858905wid.0 for ; Wed, 06 May 2015 22:44:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iI7ST4pP57iJv/pWY2vd20MMRnFcO/UeEX/wLIDVjgU=; b=mSMDZtfaEN2RGNqGlM1+FpppKZTq+9XOAq/a+LeXKxGgrL+uib9J1LTSbK2MRBCfYl QCjhSBNS1U2bpy9q0ZLeV8HWnfQGrVEPy9LP+z+Ssq3HzjkT9QM1lA5kd64ApHzNrrgt bhT8TnE2o/B2cHP0J4cbd9rqcyAbbDN3SijoTkejCHkyYXq/Y66KSox9eo9hzysTRlgC 4Dki3OvSqV55RY7tvJUBp1/eY/KesbBAfKn1VByMEJ9xonsnTYRaSr3YFNhUfGpIZ09g ZL4IdXEN3UfheR+RGbPnbzqKdonsCq7/rUtsU6rr000RcKmfSqlAdHhUd4oBq7mZq98j 44uw== MIME-Version: 1.0 X-Received: by 10.194.193.66 with SMTP id hm2mr3849316wjc.111.1430977454688; Wed, 06 May 2015 22:44:14 -0700 (PDT) Received: by 10.28.152.14 with HTTP; Wed, 6 May 2015 22:44:14 -0700 (PDT) In-Reply-To: <554A68DF.6050403@gmx.de> References: <554929FC.1010807@gmx.de> <554A68DF.6050403@gmx.de> Date: Thu, 7 May 2015 07:44:14 +0200 Message-ID: To: Christoph Becker Cc: PHP Internals Content-Type: multipart/alternative; boundary=047d7b874e62de513f051577664e Subject: Re: [PHP-DEV] password_hash() best practices From: leafnode@gmail.com (Leszek Krupinski) --047d7b874e62de513f051577664e Content-Type: text/plain; charset=UTF-8 On Wed, May 6, 2015 at 9:17 PM, Christoph Becker wrote: > Leszek Krupinski: > > > While I agree that the statement "bcrypt is better than PBKDF2, thus only > > bcrypt should be used" is difficult to defend, > > Well at least the StackExchange thread[1] pointed out by Nikita supports > the statement. > Partially. It mainly says "bcrypt is no worse than PBKDF2". As Nikita stated, bcrypt is better in putting more strain on GPU, yet it's worse with long passwords. Because of that, I wouldn't say which one is generally better. > > IMO - docs should describe alternatives, without statements "X is better > > than Y", but we also should include PBKDF2 as an option for > password_hash() > > - PHP7 is (theoretically, apparently) closed for new features, but we > > should target the next possible version. I'm not sure if we should opt > for > > changing the default. > > As Nikata has pointed out there is no standardized crypt-compatible > format for PBKDF2, so it seems to be preferable not to add it to > password_hash(). > It's true that it's not supported by crypt, but I'll refer to that in a reply to Nikita's post. > > Regarding iteration count: (again, IMO) 1024 is a bit low, but 128000 as > a > > default for everyone might be a bit too much. > > As I understand it, the iteration count has to be very different for > bcrypt and PBKDF2 (the latter requiring much more rounds). Increasing > the default cost factor of bcrypt from 10 to 11 or 12 seems to be > reasonable, considering that 10 had be chosen nearly two years ago. > +1. --Leszek --047d7b874e62de513f051577664e--