On 8/5/16, 10:49 AM, "Charles R. Portwood II" <charlesportwoo...@ethreal.net on behalf of charlesportwoo...@erianna.com> wrote:
>I think for clarity, PASSWORD_ARGON2I would be sufficient. What are your >thoughts? Looks good. >The rationale for providing defaults is to ensure the password_* >functions remain easy to use. I understand. I was actually suggesting that we deliberately make it harder to use! > Assuming that at some point PASSWORD_ARGON2I (or any new algorithm) >would become PASSWORD_DEFAULT, the end user's expectations would be that >password_hash($password, PASSWORD_DEFAULT) just works, without needing to >specify additional arguments. I agree entirely. I'm not against introducing default cost constants. I am instead proposing we allow a period of time after introduction of Argon2 into PHP before deciding what the default costs should be and define the constants at the same time as setting PASSWORD_DEFAULT = PASSWORD_ARGON2I, or possibly before. Please reread my previous message for the reasons behind this (odd, I admit) idea. Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
