Hannes, On Sun, Sep 9, 2012 at 12:23 PM, Hannes Magnusson < hannes.magnus...@gmail.com> wrote:
> On Tue, Sep 4, 2012 at 3:16 PM, Anthony Ferrara <ircmax...@gmail.com> > wrote: > > Hello all, > > > > I'm opening the vote for the simplified password hashing API indicated > here: > > > > https://wiki.php.net/rfc/password_hash > > > > > I like the idea, but I don't understand why this isn't developed as an > extension first and then brought into core when it has proven to work > and actually simplify things for the user? > First off, this has been discussed on the list for literally months. Why wait until the day before voting can end before bringing this up? Secondly, the main reason for not developing this as an extension is that there's really no benefit to it. There are little to no performance gains to be had by the C implementation. It can live quite as easily as a PHP library. The main reason for putting it in core is so that it's available to everyone, including people who have no idea to use a library. By putting notes in the hash, md5, sha1 and crypt documentation pages pointing to this alternative, hopefully it will make it far easier for novice and people who don't know any better to securely hash passwords. If you know enough to understand this problem, you're likely solving it already. But as recent attacks show, even experienced developers don't understand the problem. So by putting it in core, we're making a point and making it trivially easy to do it right. So trivial that it's actually just as hard (if not harder) to do it wrong. To that effect, the only way it can be done is to do it in core... Especially considering the patch is unfinished. > Aside from adding a few more tests, what's unfinished? If you're referring to the line in the RFC, I just haven't updated it. The patch has been worked on and is in a place where I'd be comfortable submitting it... Thanks, Anthony
