On 16/06/12 15:39, Pierre Joye wrote: > However the point here is not the implementation but the APIs. > > To be honest I am not a big fan of providing such an API in the core > as no matter the default implementation, it will become obsolete soon > or later. And changing the default brings its lot of issues and BC > problems. > > That being said, it seems that we may not have the choice anyway so > having a well designed and implemented API for password (and related > or similar areas) generations may be a good thing. The generated password hash should contain versioning information (such as the $1$ for crypt), so password_verify() of later PHP versions will be able to correctly verify it, even after the default password hash changes (set an older type in php.ini if you don't want to use the new format).
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
