I've added a pair of new functions to the RFC and implementation: password_needs_rehash($hash, $algo, array $options = array()) and password_get_info($hash)
both are reasonably similar and there's a fair bit of overlap. Considering that password_needs_rehash can be implemented easily in user-land, I'm not convinced it's needed. Then again, it's easy to implement and shouldn't pose a maintenance headache, so I'm not sure if it shouldn't be there either... What do you think? Anthony On Tue, Jul 3, 2012 at 5:24 PM, Anthony Ferrara <ircmax...@gmail.com> wrote: > Richard, > > > There is also the case of an app that simple shouldn't run with the > > single default, but could pick and choose suitable algorithm from a > > list of defaults, while still honoring whatever is in the .ini file > > instead of going rogue with some other algorithm. > > I disagree there. I think that's up to the application to decide. A > list of defaults does nothing but needlessly complicate the > implementation. How is the hash function supposed to determine which > of the list of defaults to use? Let the application layer choose, and > pass it in. The current PASSWORD_DEFAULT lives for the sole reason > that it auto-updates to indicate the most secure algorithm available. > > Anthony >
