Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94860
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18476 invoked from network); 5 Aug 2016 15:14:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2016 15:14:46 -0000
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 108.166.43.67 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 108.166.43.67 smtp67.ord1c.emailsrvr.com  
Received: from [108.166.43.67] ([108.166.43.67:41791] helo=smtp67.ord1c.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0A/0D-33134-36DA4A75 for <internals@lists.php.net>; Fri, 05 Aug 2016 11:14:43 -0400
Received: from smtp9.relay.ord1c.emailsrvr.com (localhost [127.0.0.1])
	by smtp9.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 0496D200E5;
	Fri,  5 Aug 2016 11:14:40 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp9.relay.ord1c.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 38566202C0;
	Fri,  5 Aug 2016 11:14:39 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.7.1);
	Fri, 05 Aug 2016 11:14:40 -0400
User-Agent: Microsoft-MacOutlook/14.6.6.160626
Date: Fri, 05 Aug 2016 11:14:35 -0400
To: "Charles R. Portwood II" <charlesportwoodii@erianna.com>
CC: PHP internals <internals@lists.php.net>
Message-ID: <D3CA22AB.70B7E%fsb@thefsb.org>
Thread-Topic: [RFC][DISCUSSION] Argon2 Password Hash
References: <CAGC=tRnpka_ym=f-xsskjeiPaqahsTEAxPq9=E8Z73KQKeRrHg@mail.gmail.com>
 <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org>
 <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
In-Reply-To: <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Re: [RFC][DISCUSSION] Argon2 Password Hash
From: fsb@thefsb.org (Tom Worster)

On 8/5/16, 10:49 AM, "Charles R. Portwood II"
<charlesportwoodii@ethreal.net on behalf of charlesportwoodii@erianna.com>
wrote:

>I think for clarity, PASSWORD_ARGON2I would be sufficient. What are your
>thoughts?

Looks good.


>The rationale for providing defaults is to ensure the password_*
>functions remain easy to use.

I understand. I was actually suggesting that we deliberately make it
harder to use!


> Assuming that at some point PASSWORD_ARGON2I (or any new algorithm)
>would become PASSWORD_DEFAULT, the end user's expectations would be that
>password_hash($password, PASSWORD_DEFAULT) just works, without needing to
>specify additional arguments.

I agree entirely. I'm not against introducing default cost constants. I am
instead proposing we allow a period of time after introduction of Argon2
into PHP before deciding what the default costs should be and define the
constants at the same time as setting PASSWORD_DEFAULT = PASSWORD_ARGON2I,
or possibly before.

Please reread my previous message for the reasons behind this (odd, I
admit) idea.

Tom