Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94862
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22237 invoked from network); 5 Aug 2016 15:21:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2016 15:21:52 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.75 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 173.203.187.75 smtp75.iad3a.emailsrvr.com  
Received: from [173.203.187.75] ([173.203.187.75:35127] helo=smtp75.iad3a.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 54/BD-33134-F0FA4A75 for <internals@lists.php.net>; Fri, 05 Aug 2016 11:21:51 -0400
Received: from smtp10.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp10.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 46B5260288;
	Fri,  5 Aug 2016 11:21:49 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp10.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id BD06960174;
	Fri,  5 Aug 2016 11:21:47 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.7.1);
	Fri, 05 Aug 2016 11:21:49 -0400
User-Agent: Microsoft-MacOutlook/14.6.6.160626
Date: Fri, 05 Aug 2016 11:21:44 -0400
To: Ryan Pallas <derokorian@gmail.com>
CC: PHP internals <internals@lists.php.net>
Message-ID: <D3CA25CD.70B9B%fsb@thefsb.org>
Thread-Topic: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash
References: <CAGC=tRnpka_ym=f-xsskjeiPaqahsTEAxPq9=E8Z73KQKeRrHg@mail.gmail.com>
 <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org>
 <CAGC=tR=4v0KAkqnU1Q3Fr5AeM8o_PuJfP9rYQ_s4X3=Z9UUh=w@mail.gmail.com>
 <CAObuZdsq33=g4wG=FP0bOHnsE9N+PrCu3nGs7ZNAxx=rX4dJ+w@mail.gmail.com>
In-Reply-To: <CAObuZdsq33=g4wG=FP0bOHnsE9N+PrCu3nGs7ZNAxx=rX4dJ+w@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash
From: fsb@thefsb.org (Tom Worster)

On 8/5/16, 11:08 AM, "Ryan Pallas" <derokorian@gmail.com> wrote:

>Please keep it so that defaults will work, but $options is available for
>tuning as that's how the feature currently works.

My suggestion doesn't affect that. I agree that password_hash($password,
PASSWORD_DEFAULT) should always "just work".

Instead, I think there should be an interim status, before changing
PASSWORD_DEFAULT, in which password_hash($password, PASSWORD_ARGON2I)
requires $options. Reasons given in my first reply.

There is no hurry to change PASSWORD_DEFAULT, afaik.

Tom