Herman, > This userland library already solves all the issues you outlined with > bcrypt: http://www.openwall.com/phpass/
That library is not without its issues. For example, if you ask for a portable hash, it gives you a custom algorithm instead of bcrypt. That's because the library is php4 compatible. So for modern versions of PHP (5.3+), it produces an unnecessarily weak hash. In addition, the custom hash function that it uses is fairly weak. It uses md5 as its primitive (because in php4 that's all that's available), which while not the end of the world, could be improved. It also does a simple feedback loop on hash the hash function for the iterations. This is good, but could be better by using hash_hmac which internally does two hash rounds per call, and feeding back more state into the loop (Like PBKDF2 does). It's not bad enough that if you're already using it you should go running to replace it (not at all). But if you are starting a new project, stick to bcrypt, PBKDF2, crypt_sha512, scrypt, etc... If you want some background on it: http://drupal.org/node/1201444 The reason that I am bringing it up, is that if we're pulling it in core, we should understand the limitations... Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
