Jonathan,
> I like this proposal, it could be useful to add a simpler api that has
> defaults matching the NIST recommendation:
> hash_password($password, $salt, $algo = 'sha1', $iterations = 1000);
Checkout the other thread about adding a simple password API.
As far as implementing that as well, I don't care for it. Basically,
the reason is that it limits the algorithms that can be called by
hash_password. Specifically scrypt would not be possible, because it
has more parameters than that.
> My point being that:
>
> $hash = hash_password('1234', 'my'. $password[1] .
> 'super-long-salt-secret');
>
> Gives good enough security 80% of use cases and is simpler then:
>
> $hash = hash_pbkdf2('sha1', '1234', 'my'. $password[1] .
> 'super-long-salt-secret', 1000);
>
> Developers will still use sha1 or md5 because they are so simple.
The goal of this API addition is not to simplify anything. It's to
provide a C implementation of the PBKDF2 algorithm. The other topic
about password hashing has the simplification goal.
Anthony
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
