On 3 Feb 2017, at 18:56, internals-digest-h...@lists.php.net wrote:
HKDF w/o salt is OK, but with salt, it's much stronger than w/o it.
That's not correct.
The salt defends against certain attacks on predictable input key
material, i.e. weak passwords. But HKDF should not normally be used for
passwords because it is unsuitable.
There is something like a weird pattern to your attempts to help PHP
programmers use the wrong function for the job -- HKDF for passwords,
uniqid and mt_rand for unpredictable randoms.
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
