2012/8/1 Ángel González <keis...@gmail.com>: > I'd go with the hashing. I'd would however produce a slightly different > prefix > than with bare bcrypt.
Like that. And I thought some about it. Currently, there is no real need for that. And no one is hindered to implement his own version-information into it. But to do this right, there is a lack of information. This brought me to an good idea: a constant PASSWORD_VERSION The current version-number of password-functions. You're free to store this information with the hash (e. g. '$$' . PASSWORD_VERSION . password_hash()..., of course remove it before verify!). Every change (new algorithms etc) will increment the version. This can help to detect the case when in version 79 bcrypt is removed because too insecure/too old. As said, currently not needed, but if someone likes to, here it is. :) -- Alex Aulbach -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
