RE: [PHP-DEV] [RFC] Add hash_pbkdf2 function

From:	Jonathan Bond-Caron	Date:	Wed, 20 Jun 2012 15:00:04 +0000
Subject:	RE: [PHP-DEV] [RFC] Add hash_pbkdf2 function
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Mon Jun 18 07:14 PM, Anthony Ferrara wrote:
> 
>  https://wiki.php.net/rfc/hash_pbkdf2
> 

I like this proposal, it could be useful to add a simpler api that has
defaults matching the NIST recommendation:
hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);

if the salt doesn't have at least 16 characters (128 bits), throw error

internally this calls:
hash_pbkdf2('sha1', $password, $salt, 1000);

My point being that:

$hash = hash_password('1234', 'my'. $password[1] .
'super-long-salt-secret');

Gives good enough security 80% of use cases and is simpler then:

$hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
'super-long-salt-secret', 1000); 

Developers will still use sha1 or md5 because they are so simple.




   

Thread (15 messages)

• Anthony FerraraMon, 18 Jun 2012 23:14:06 +0000
  • Adam Jon RichardsonTue, 19 Jun 2012 06:24:36 +0000
    • Tjerk MeestersTue, 19 Jun 2012 10:23:28 +0000
      • Adam Jon RichardsonTue, 19 Jun 2012 17:35:20 +0000
  • Pierre JoyeWed, 20 Jun 2012 06:38:03 +0000
    • Anthony FerraraWed, 20 Jun 2012 10:12:21 +0000
      • Pierre JoyeWed, 20 Jun 2012 12:27:12 +0000
        • Anthony FerraraWed, 20 Jun 2012 12:36:53 +0000
        • Anthony FerraraThu, 21 Jun 2012 11:41:59 +0000
          • Anthony FerraraFri, 29 Jun 2012 14:19:05 +0000
            • Pierre JoyeFri, 29 Jun 2012 16:35:45 +0000
              • Anthony FerraraFri, 29 Jun 2012 17:14:08 +0000
  • Enrico ZimuelWed, 20 Jun 2012 09:14:07 +0000
  • Jonathan Bond-CaronWed, 20 Jun 2012 15:00:04 +0000RE: [PHP-DEV] [RFC] Add hash_pbkdf2 function
    • Anthony FerraraThu, 21 Jun 2012 11:16:33 +0000Re: [RFC] Add hash_pbkdf2 function