Re: [RFC] Add hash_pbkdf2 function

From: Date: Thu, 21 Jun 2012 11:16:33 +0000
Subject: Re: [RFC] Add hash_pbkdf2 function
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Jonathan,

> I like this proposal, it could be useful to add a simpler api that has
> defaults matching the NIST recommendation:
> hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);

Checkout the other thread about adding a simple password API.

As far as implementing that as well, I don't care for it. Basically,
the reason is that it limits the algorithms that can be called by
hash_password. Specifically scrypt would not be possible, because it
has more parameters than that.

> My point being that:
>
> $hash = hash_password('1234', 'my'. $password[1] .
> 'super-long-salt-secret');
>
> Gives good enough security 80% of use cases and is simpler then:
>
> $hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
> 'super-long-salt-secret', 1000);
>
> Developers will still use sha1 or md5 because they are so simple.

The goal of this API addition is not to simplify anything. It's to
provide a C implementation of the PBKDF2 algorithm. The other topic
about password hashing has the simplification goal.

Anthony

Thread (15 messages)

« previous php.internals (#60919) next »