On Mon Jun 18 07:14 PM, Anthony Ferrara wrote:
>
> https://wiki.php.net/rfc/hash_pbkdf2
>
I like this proposal, it could be useful to add a simpler api that has
defaults matching the NIST recommendation:
hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);
if the salt doesn't have at least 16 characters (128 bits), throw error
internally this calls:
hash_pbkdf2('sha1', $password, $salt, 1000);
My point being that:
$hash = hash_password('1234', 'my'. $password[1] .
'super-long-salt-secret');
Gives good enough security 80% of use cases and is simpler then:
$hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
'super-long-salt-secret', 1000);
Developers will still use sha1 or md5 because they are so simple.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
