Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94864 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28568 invoked from network); 5 Aug 2016 16:37:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2016 16:37:17 -0000 Authentication-Results: pb1.pair.com header.from=charlesportwoodii@ethreal.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=charlesportwoodii@ethreal.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ethreal.net designates 209.85.218.41 as permitted sender) X-PHP-List-Original-Sender: charlesportwoodii@ethreal.net X-Host-Fingerprint: 209.85.218.41 mail-oi0-f41.google.com Received: from [209.85.218.41] ([209.85.218.41:33735] helo=mail-oi0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/8E-33134-BB0C4A75 for ; Fri, 05 Aug 2016 12:37:16 -0400 Received: by mail-oi0-f41.google.com with SMTP id j185so370184914oih.0 for ; Fri, 05 Aug 2016 09:37:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethreal.net; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=0BdMd6/AsupEBXpebpzQsZ+i4IdhFElO+ojpEigUV9M=; b=Bw0xl1VH5VKOzr1hGvJLsEg9W2QXXLumhMknzqhPfbVhLAzPWACGODx5cmSDt+fo5r 3L909R/KbBCv1D8OtXg1Xoa5wxlkwpvy8Bkm7mfPyFw9HGM2H/PGn8jyUk19gNw0Jeab DxNOraE4wvdGBDnpSM1xbWRmay6Pvuk2OtEnA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erianna.com; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=0BdMd6/AsupEBXpebpzQsZ+i4IdhFElO+ojpEigUV9M=; b=a+TJrNaPQYkf7B0fl5xZhxOqb3NIP40T+dYBn56yC0+MpaqlPi9K3Zigm3AomOwSCi SPStYtQOxMPeP0nd3SGZfp3i048D4G0FpJiZNHEX/SH+LfJLi2WZPbrOn1d2FhbpzFmY nnqaFXj0KfSkAi5gDgGv+SXUyVWo6G1V6GtY4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=0BdMd6/AsupEBXpebpzQsZ+i4IdhFElO+ojpEigUV9M=; b=W9WAPthbPkuuLOFXPeD57mc7lATtH4hYDjrQIBVXb/+qH0Gwc0hSeOfk8asggt3wnl bj/rhkGecUrLyKhAk8fobnStDHDnsj6wy6GogMkY95gdqGAxmKwBZ/LRFYajuHXHhHDE LEZU9gK+F/56roqCe3vFCJLcRJjg0uw3OAdY0tu7sj5KsYB+3WAmbnxfuPKXylHQ1Pud s0QOsZ3VfuBNon/xMjNAO1hrLFIWCVBc8jvJTJL0Dl4Jju/nZeh1FNHqB7mxccSmdhwt nwyZR9LIifq32caxqBsTvoMjvYR+JPwU21iNbqaMy5zJYJ+bitVp8UuHC/SLdCpvF7bY S4WA== X-Gm-Message-State: AEkooutv1h9CyXd3YxZlDpBaC54sUJTOYbYBDCnR+wfQI7l8O0brwhlSjo/NQt9574a2SEndIJ7SySB1T6xwCg== X-Received: by 10.202.218.215 with SMTP id r206mr44784261oig.55.1470415032117; Fri, 05 Aug 2016 09:37:12 -0700 (PDT) MIME-Version: 1.0 Sender: charlesportwoodii@ethreal.net Received: by 10.182.191.72 with HTTP; Fri, 5 Aug 2016 09:36:51 -0700 (PDT) X-Originating-IP: [38.140.54.114] In-Reply-To: References: <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org> Date: Fri, 5 Aug 2016 11:36:51 -0500 X-Google-Sender-Auth: Kzp956o02dPq8AhScHswX0yNN_U Message-ID: To: Ryan Pallas Cc: Tom Worster , PHP internals Content-Type: multipart/alternative; boundary=001a113d2b78a981ca053955adab Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash From: charlesportwoodii@erianna.com ("Charles R. Portwood II") --001a113d2b78a981ca053955adab Content-Type: text/plain; charset=UTF-8 On Fri, Aug 5, 2016 at 10:08 AM, Ryan Pallas wrote: > > > I think this is the most important part to consider. If you make $options > required for this algo, then making this algo the PASSWORD_DEFAULT would > mean that its a backwards incompatible change, because now all calls to > password_hash($password, PASSWORD_DEFAULT) would need to be updated to use > an older constant or pass in $options which I think totally defeats the > purpose of the password_hash API. > > Please keep it so that defaults will work, but $options is available for > tuning as that's how the feature currently works. > > The rationale for providing defaults is to ensure the password_* >> functions remain easy to use. > > I understand. I was actually suggesting that we deliberately make it > harder to use! Assuming that at some point PASSWORD_ARGON2I (or any new algorithm) >> would become PASSWORD_DEFAULT, the end user's expectations would be that >> password_hash($password, PASSWORD_DEFAULT) just works, without needing to >> specify additional arguments. > > I agree entirely. I'm not against introducing default cost constants. I am > instead proposing we allow a period of time after introduction of Argon2 > into PHP before deciding what the default costs should be and define the > constants at the same time as setting PASSWORD_DEFAULT = PASSWORD_ARGON2I, > or possibly before. > Please reread my previous message for the reasons behind this (odd, I > admit) idea. Hi Tom, I understand what you're saying. Ryan said it a bit more clearly than I did, making the options required causes backwards-incompatible changes to the password_hash API. That's my real reservation behind not providing defaults. A separate RFC would be needed for 7.4 to make PASSWORD_ARGON2I = PASSWORD_DEFAULT). If the supplied constants need to be changed for that, I think that would be the time to do so. I think for now something needs to be provided to ensure the password_hash API doesn't change. On Fri, Aug 5, 2016 at 11:29 AM, Niklas Keller wrote: > > Hi Charles, > > I'd prefer `memory_cost` and `time_cost` over `m_cost` and `t_cost`. Do we > have any reason to use the shorter but less readable names here? > > Regards, Niklas > 'm_cost' and 't_cost' is what is used in the reference library. Someone looking at the reference material would see those names. Thanks, *Charles R. Portwood II* --001a113d2b78a981ca053955adab--