Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86130 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38812 invoked from network); 7 May 2015 06:11:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2015 06:11:34 -0000 Authentication-Results: pb1.pair.com header.from=leafnode@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leafnode@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.181 as permitted sender) X-PHP-List-Original-Sender: leafnode@gmail.com X-Host-Fingerprint: 209.85.212.181 mail-wi0-f181.google.com Received: from [209.85.212.181] ([209.85.212.181:36017] helo=mail-wi0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B8/B8-13398-4120B455 for ; Thu, 07 May 2015 02:11:32 -0400 Received: by wizk4 with SMTP id k4so228826852wiz.1 for ; Wed, 06 May 2015 23:11:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JRJhUxVh49Rhyxksas6/6w6qtgBS6WZXPjPf4ZpSICg=; b=sYHWKlerErKV7xPJw6hGHyqojLvXjP5O8qugNzW9YOa2h5Z6+fIXMbBLS+NY4zy0Cx lUN15xmxEBPYJTm3Xq4WkATQqJKkjAPQ/yXnsplTlhQpt+93PTtABfsfW+OiXxZ/RT7D z6m32XTEgAnI1fBOZiDlABuk9RVtblAIfJ2nUH9OmqlrHWUZZB2t38lSKyNz3t3x/lCj fOoqC5FMYEgMS2LuTu3Bk38lwLacbSsaMx5U66SPzILSTlrqQ+OIbY8MtobQzByte1oy 2Z5jotiydmOCbQ7Sy8zjLuSqg3rmXbJwaO5x0xMeiNoLIlSaVSOHNJfhBSF0M2DFNu5V vk0Q== MIME-Version: 1.0 X-Received: by 10.180.104.225 with SMTP id gh1mr3444248wib.65.1430979089749; Wed, 06 May 2015 23:11:29 -0700 (PDT) Received: by 10.28.152.14 with HTTP; Wed, 6 May 2015 23:11:29 -0700 (PDT) In-Reply-To: References: <554929FC.1010807@gmx.de> Date: Thu, 7 May 2015 08:11:29 +0200 Message-ID: To: Nikita Popov Cc: Christoph Becker , PHP internals Content-Type: multipart/alternative; boundary=f46d0442886c535a4a051577c891 Subject: Re: [PHP-DEV] password_hash() best practices From: leafnode@gmail.com (Leszek Krupinski) --f46d0442886c535a4a051577c891 Content-Type: text/plain; charset=UTF-8 On Wed, May 6, 2015 at 4:00 PM, Nikita Popov wrote: > It should be further noted that there is no standardized crypt() format for > PBKDF2 and password_hash() is a crypt-compatible API. As such supporting > PBKDF2 there would be very problematic. We do already support it in the > form of hash_pbkdf2() and people who wish to use this method (e.g. due to > legal restrictions) can use it through this API - I don't see a reason to > have it in password_hash(), which should only support the recommended > default use case. > > That's true that there's no support for pbkdf2 in crypt. On the other hand, the RFC for password_hash stated: > These hashing APIs will initially be thin wrappers around *crypt()* to allow for automatic salt generation and better error checking. It says "initially" - that's why I understood that in the future we can diverge from crypt in situations when there's a great new hash we would like to use, but it's not supported by crypt (yet or at all). Also, I'm pro-choice ;) We have an extensible API for password_hash(), and because people have different needs (like gpu strain in bcrypt or longer passwords in pbdkf2) we should provide an option for more experienced users, while having reasonable defaults. Yes, advanced users can use hash functions directly, but password_* are so nice :) --Leszek --f46d0442886c535a4a051577c891--