Stas, > https://wiki.php.net/rfc/password_hash > > Looks good. The only question I have is for password_make_salt() - do we > need the user to specify length? I think length is defined by the > algorithm in the most cases. Maybe convert it to password_make_salt(int > $salt_type = PASSWORD_SALT_BCRYPT, int $length) > with both arguments optional and one of salt types being > PASSWORD_SALT_OTHER which just generates given length?
My only heistation there is that SALT_* specifies the format. So all of the crypt() hashes would use that format (a-zA-Z0-9./). Perhaps the name is bad, and it should be SALT_CRYPT instead (but this has the assumption that salt formats will never change for crypt())...
