>
> On Jul 25, 2024 at 5:35 PM, <Rowan Tommins [IMSoP]
> (mailto:[email protected])> wrote:
> Rather than force people to use functions that we acknowledge are hard
>
>
> to use, surely the logical thing is to make the "right" code *easy* to use?
> Which means if we want people to use SHA-256, let's add a sha256() function
> to make it easy. This is what password_hash() and password_verify() did
> right: the functionality was already there in crypt(), but it's hard to use,
> and harder to use correctly. Providing clearer functions, even though they do
> the same thing, helps new developers "fall into the pit of success".
>
>
Yes! 1000% *THIS*.
-Mike
>
>
> The hash() function isn't quite as confusing as crypt(), but according to
> the manual, it currently supports 60 different algorithms, most of which I
> have never heard of. I'm aware that "sha256" is better than "sha1", but
> should I be aiming higher, and using "sha384", or maybe one of the four
> flavours of "sha3"? Then there's the fun-sounding "whirlpool", the faintly
> rude-sounding "snefru", and a bewildering fifteen flavours of "haval". A new
> user being told "don't use sha1(), use hash() and pick from this list" is
> more likely to say "ah, there's sha1, jolly good" than spend an afternoon
> reading cryptography journals. There's no pit of success to fall into.
> Regards, -- Rowan Tommins [IMSoP]
>
>
