Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94865 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31221 invoked from network); 5 Aug 2016 17:12:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2016 17:12:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.99 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 173.203.187.99 smtp99.iad3a.emailsrvr.com Received: from [173.203.187.99] ([173.203.187.99:49377] helo=smtp99.iad3a.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6F/EE-33134-5F8C4A75 for ; Fri, 05 Aug 2016 13:12:21 -0400 Received: from smtp21.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp21.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 64B6E4019E; Fri, 5 Aug 2016 13:12:18 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp21.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id B8024401BC; Fri, 5 Aug 2016 13:12:17 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.7.1); Fri, 05 Aug 2016 13:12:18 -0400 User-Agent: Microsoft-MacOutlook/14.6.6.160626 Date: Fri, 05 Aug 2016 13:12:15 -0400 To: "Charles R. Portwood II" , Ryan Pallas CC: PHP internals Message-ID: Thread-Topic: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash References: <81b5a129-9c90-0a54-921f-7e1f9b5f727f@thefsb.org> In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash From: fsb@thefsb.org (Tom Worster) On 8/5/16, 12:36 PM, "Charles R. Portwood II" wrote: >I understand what you're saying. Ryan said it a bit more clearly than I >did, making the options required causes backwards-incompatible changes to >the password_hash API. That's my real reservation behind not providing >defaults. > >A separate RFC would be needed for 7.4 to make PASSWORD_ARGON2I = >PASSWORD_DEFAULT). If the supplied constants need to be changed for that, >I think that would be the time to do so. I think for now something needs >to be provided to ensure the password_hash API doesn't change. I can understand an argument that it's too much to expect a user to provide an options array when using Argon2. But I don't understand how my suggestion breaks BC. In my idea, a future RFC would propose default cost constants. Changing PASSWORD_DEFAULT to PASSWORD_ARGON2I depends on those constants so they would need to be defined before changing PASSWORD_DEFAULT or at the same time. So... password_hash('password', PASSWORD_DEFAULT) will always work. password_hash('password', PASSWORD_ARGON2I) works as soon as Argon2 is introduced in your proposal, but has to wait for another future RFC in my suggested change. password_hash('password', PASSWORD_ARGON2I, [costs]) will always work. How does a BC break happen? Tom