Pierre, > I've added a pair of new functions to the RFC and implementation: > > > > password_needs_rehash($hash, $algo, array $options = array()) > > Not totally convinced about that one.
I'm not either. That's why I added the discussion point around it. I can see it going either way. > I would prefer a password_rehash > instead, then a simple comparison is needed to know if an update is > necessary or not. > > > password_get_info($hash) > > Soungs good, to get all the details about the given hash. The *only* problem with this is what happens if the options array contains unused variables for an algorithm. Say we implement scrypt, and there's an R variable in the array. If we check a bcrypt algorithm hash (with PASSWORD_BCRYPT specifically), if the array contains "R", it could throw a red herring indicating an un-necessary re-hash. So there's some algorithmic specific information that needs to be compared. Thereby making a "needs_rehash" function in userland non-trivial. It's still not complex, but it's not trivial either. Part of me wants to see it as it would be maintained over the years as new algorithms are introduced, and hence can compensate for other things that implementing it in userland can't.... In other words, I'm not sure either way... Anthony
