On 18/06/12 18:54, Anthony Ferrara wrote: > Pierre, > >> There is sadly only state-of-art-right-now password hashing methods. >> We have to keep that in mind :) > That's why the crypt() return format was designed. All of the options > that are needed to validate the hash (algorithm, cost parameter, salt, > etc) are fit right into the outputted string. > > I'd suggest that's what's done here. In fact, I'd make the functions > just a thin wrapper around crypt(). Basically, just where it sets sane > defaults that we can update every minor (or major) release (to > compensate for faster servers). It handles salt generation, error > checking, etc. > > Here's what I have in mind in php: https://gist.github.com/2949382 I don't think the code is the most appropiate one, but I suppose that's not a final proposal. The interfaces look good to me. I'd maybe set the default $algo to PASSWORD_DEFAULT_HASH or similar, being a value bumped on each next revisions. I would consider preferable to have the $ ofpassword_register_algoprefix implicit.
Regards -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
