Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86134 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75762 invoked from network); 7 May 2015 15:29:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2015 15:29:55 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.171 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.212.171 mail-wi0-f171.google.com Received: from [209.85.212.171] ([209.85.212.171:38394] helo=mail-wi0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D5/53-53430-3F48B455 for ; Thu, 07 May 2015 11:29:55 -0400 Received: by wiun10 with SMTP id n10so64383151wiu.1 for ; Thu, 07 May 2015 08:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=YHIQ5+H4bKRxq4TdtH8UjtX23Qh0GnDqOWG0DtHMBJ4=; b=YwCVtjwWRshqwHVNuBkUFuILGI0mUOYAGvJrNFRRnZkNb6sROnw+PKWBKicYs4g7uy Lvzocjxj7mmvBh99XBjawzO1n1G0v/8YtutxlE5mZ0A/sko1ZrzKuiDrHXRUsiMWPWVg 9wM8iFA8tdV9IEsrLzAwuXj8yJdIcFQxWm6kMryoOh2gmDdBkiz/1Sq4qLviLCXsNlyZ 3V8hKi3F/bEMVARRRj/CdEb/lPyc5Zxq4pV6DGIvITIWMPwhRpDEHY3HOymAQaseL8gt e8eqIm8eebhfbKdqrcbfJerP4RdILpwgJ6JiIBAg9aLQEH+hH+k+U6T1A4O+xwzm1dFy 9zHg== X-Received: by 10.194.192.72 with SMTP id he8mr8827646wjc.11.1431012592818; Thu, 07 May 2015 08:29:52 -0700 (PDT) Received: from [192.168.0.159] ([62.189.198.114]) by mx.google.com with ESMTPSA id it5sm7964704wid.3.2015.05.07.08.29.51 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 May 2015 08:29:51 -0700 (PDT) Message-ID: <554B849D.2040308@gmail.com> Date: Thu, 07 May 2015 16:28:29 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: internals@lists.php.net References: <554929FC.1010807@gmx.de> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] password_hash() best practices From: rowan.collins@gmail.com (Rowan Collins) Leszek Krupinski wrote on 07/05/2015 07:11: > On Wed, May 6, 2015 at 4:00 PM, Nikita Popov wrote: > >> It should be further noted that there is no standardized crypt() format for >> PBKDF2 and password_hash() is a crypt-compatible API. As such supporting >> PBKDF2 there would be very problematic. > That's true that there's no support for pbkdf2 in crypt. On the other hand, > the RFC for password_hash stated: > >> These hashing APIs will initially be thin wrappers around *crypt()* to > allow for automatic salt generation and better error checking. > > It says "initially" - that's why I understood that in the future we can > diverge from crypt in situations when there's a great new hash we would > like to use, but it's not supported by crypt (yet or at all). Notwithstanding the merits of using it in this case, I wonder if there's a possibility to invent a syntax recognised by password_hash which is an explicit extension of what crypt uses, and is guaranteed not to collide, kind of like the "X-" header prefix in HTTP. If a "standard" format for the same algorithm was added in future, password_needs_rehash could return true for the deprecated interim format, allowing a smooth transition. (If you explicitly chose PBKDF2, you would still need to call that function to allow for increases in the cost parameter.) Regards, -- Rowan Collins [IMSoP]