Re: Adding a simple API for secure password hashing?

From:	Ángel González	Date:	Tue, 19 Jun 2012 22:26:36 +0000
Subject:	Re: Adding a simple API for secure password hashing?
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 18/06/12 18:54, Anthony Ferrara wrote:
> Pierre,
>
>> There is sadly only state-of-art-right-now password hashing methods.
>> We have to keep that in mind :)
> That's why the crypt() return format was designed. All of the options
> that are needed to validate the hash (algorithm, cost parameter, salt,
> etc) are fit right into the outputted string.
>
> I'd suggest that's what's done here. In fact, I'd make the functions
> just a thin wrapper around crypt(). Basically, just where it sets sane
> defaults that we can update every minor (or major) release (to
> compensate for faster servers). It handles salt generation, error
> checking, etc.
>
> Here's what I have in mind in php: https://gist.github.com/2949382
I don't think the code is the most appropiate one, but I suppose that's
not a final proposal.
The interfaces look good to me.
I'd maybe set the default $algo to PASSWORD_DEFAULT_HASH or similar,
being a value bumped on each next revisions.
I would consider preferable to have the $ ofpassword_register_algoprefix
implicit.

Regards



   

Thread (39 messages)

• Nikita PopovWed, 13 Jun 2012 21:31:35 +0000
  • Gwynne RaskindWed, 13 Jun 2012 21:44:46 +0000
  • Arvids GodjuksWed, 13 Jun 2012 22:01:36 +0000
  • Stas MalyshevWed, 13 Jun 2012 22:34:11 +0000
  • Thomas HruskaThu, 14 Jun 2012 04:02:16 +0000
  • Daniel MacedoThu, 14 Jun 2012 12:26:05 +0000
    • Anthony FerraraThu, 14 Jun 2012 13:11:55 +0000
      • Peter LindThu, 14 Jun 2012 13:27:37 +0000
        • Anthony FerraraThu, 14 Jun 2012 13:35:57 +0000
          • Peter LindThu, 14 Jun 2012 14:26:07 +0000
            • Anthony FerraraThu, 14 Jun 2012 14:58:20 +0000
            • Ángel GonzálezThu, 14 Jun 2012 15:50:23 +0000
              • Peter LindThu, 14 Jun 2012 16:33:15 +0000
      • Thomas HruskaThu, 14 Jun 2012 14:19:59 +0000
        • Anthony FerraraThu, 14 Jun 2012 14:50:09 +0000
  • Kris CraigThu, 14 Jun 2012 18:42:39 +0000
    • Herman RadtkeFri, 15 Jun 2012 16:23:33 +0000
      • Pierre JoyeSat, 16 Jun 2012 11:51:44 +0000
      • Anthony FerraraSat, 16 Jun 2012 12:41:22 +0000
        • Pierre JoyeSat, 16 Jun 2012 13:39:35 +0000
          • Ángel GonzálezSat, 16 Jun 2012 15:42:28 +0000
          • Solar DesignerWed, 27 Jun 2012 09:22:17 +0000
            • Anthony FerraraWed, 27 Jun 2012 11:51:38 +0000
              • Solar DesignerWed, 27 Jun 2012 13:07:34 +0000
                • Anthony FerraraWed, 27 Jun 2012 13:16:47 +0000
                • Galen Wright-WatsonWed, 27 Jun 2012 18:37:27 +0000
                  • Galen Wright-WatsonWed, 27 Jun 2012 18:48:52 +0000
  • Alexey ZakhlestinSun, 17 Jun 2012 13:58:33 +0000
    • Pierre JoyeSun, 17 Jun 2012 21:54:53 +0000
      • Alexey ZakhlestinMon, 18 Jun 2012 09:06:33 +0000
        • Pierre JoyeMon, 18 Jun 2012 15:42:26 +0000
          • Alexey ZakhlestinMon, 18 Jun 2012 16:03:47 +0000
          • Anthony FerraraMon, 18 Jun 2012 16:54:14 +0000
            • Enrico ZimuelMon, 18 Jun 2012 17:54:09 +0000
              • Anthony FerraraMon, 18 Jun 2012 18:04:33 +0000
                • Enrico ZimuelWed, 20 Jun 2012 06:07:32 +0000
            • Ángel GonzálezTue, 19 Jun 2012 22:26:36 +0000
              • Anthony FerraraWed, 20 Jun 2012 10:05:54 +0000
                • Anthony FerraraMon, 25 Jun 2012 15:43:13 +0000