Am 03.07.2012 um 18:21 schrieb Anthony Ferrara:
> >> know you didn't like PASSWORD_MOST_SECURE. So what about keeping
> >> PASSWORD_DEFAULT as a moving target, documented, and just making the
> >> second parameter (algo) to password_hash required? That way users
> >
> > To be honest I'm not sure of the benefit of making the second parameter
> > mandatory.
>
> The benefit is that it forces the user to make the choice between a moving
> target (the default which will be updated over time) and a specific
> algorithm. That way if they need to integrate with other non-PHP
> applications, they can stick to a single algorithm that they know both
> support.
In my opinion that will be the rare case, not the normal case. If this API aims
to be simple then it should be optimized for the normal case.
> > 2) I'd like to be able to check wether a stored password uses an outdated
> > algorithm and update the hash in that case. For that I'd need either a
> > function to extract the salt from a hash to pass it to password_hash() and
> > compare the result with the old hash. Or preferably a separate function
> > password_hash_outdated($hash) => bool or something similar. Or maybe
> > someone can come up with yet a better solution for this.
>
> Well... I don't know about that. Outdated is a very odd concept here.
> Perhaps, a password_hash_get_algo($hash) call would suffice. That way, you
> could do if (PASSWORD_BCRYPT == password_get_hash_algo($hash)) { //upgrade
> hash }. Or even if (PASSWORD_DEFAULT != password_get_hash_algo($hash))...
Why would outdated be an odd concept here? If you plan to update
PASSWORD_DEFAULT or the number of rounds (and yes, that's part of the whole
discussion here) then you should make it easy for developers to use the
strongest option available without hassle.
Almost every application should use the following operations:
- Hash a password for storage
$user->store([ 'hash' => password_hash($password) ]);
- Compare a password with a previously stored one and update if possible
if ($authenticated = password_verify($password, $hash) and
password_outdated($hash))
$user->store([ 'hash' => password_hash($password) ]);
This, to me, would be a simple and future-proof API for the masses. People with
more complex requirements should be expected to read the documentation more
carefully.
> Speaking of which, since algorithms can be introduced over time, should a new
> function password_algos() be added to return an indexed array of supported
> algorithms?
The only use for that I see is the interoperability with other applications but
most people won't need it.
- Chris
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
