> > With respect to adding those algorithms for generating hashes, I'm 100% > dead set against it. >
Ok, I understand and agree, generating hashes for weaker algos is not a good idea. The point I wanted to address was forward/backward compatibility with existing password databases that use PHPass : > The way password_verify is implemented, it can use any crypt(3) generated > hash for verification. > So forward/backward backward compatibility is granted for CRYPT_EXT_DES, well done. Still, for md5 based hashes ($P$/$H$ prefixes), crypt() doesn't work. What about handling these schemes only in password_verify() ? I think that could help a lot on adoption rate for the new API, easing the transition for current phpass users. Nicolas
