Hi! > So, wouldn't it be better if PHP provided an easy to use API for > secure password hashes natively? So you just have to call a single > function, which magically handles everything for you (like salt > generation).
Yes. The fact that crypt() doesn't allow to generate salt automatically for non-default algorithms leads to people either defaulting to weaker md5crypt or doing salt generation manually, which is dangerous. So I think we need two things here: 1. An RFC for generic password hashing function (probably in hash, but can be standalone too) improving on crypt()). The start with pbkdf2 looks good, but if we could intergate all possible ways it'd be nicer. 2. A patch (and RFC if necessary) for crypt() to allow it to generate salts for non-default algorithms. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
