Richard, > There is also the case of an app that simple shouldn't run with the > single default, but could pick and choose suitable algorithm from a > list of defaults, while still honoring whatever is in the .ini file > instead of going rogue with some other algorithm.
I disagree there. I think that's up to the application to decide. A list of defaults does nothing but needlessly complicate the implementation. How is the hash function supposed to determine which of the list of defaults to use? Let the application layer choose, and pass it in. The current PASSWORD_DEFAULT lives for the sole reason that it auto-updates to indicate the most secure algorithm available. Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
