Hi everybody! In issue #64816[1] the OP suggests in the comment from [2015-05-05 04:34 UTC] that hash_pbkdf2() should be recommended for advanced users, and that password_hash() should use PBKDF2 with at least 128,000 rounds.
The "Adding simple password hashing API" RFC[2] mentions in the "Future concerns" section that new hash algorithms may be introduced, and that the default algorithm as well as the default cost may be changed. According to the "Updating PASSWORD_DEFAULT" section[3] changing the default algorithm for PHP 7.0 is not possible anymore, but it might be considered to add support for PBKDF2, and to increase the cost of the CRYPT_BLOWFISH algorithm. Thoughts? [1] <https://bugs.php.net/bug.php?id=64816> [2] <https://wiki.php.net/rfc/password_hash#future_concerns> [3] <https://wiki.php.net/rfc/password_hash#updating_password_default> -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
