Argon2 is opt-in, not opt-out, at compile-time, so then we would have to agree on it being acceptable for PASSWORD_DEFAULT to have different values depending on compile-time options, maybe thats completely fine, or maybe it isn't, idk.
But as Dusterhus points out, Argon2 is inferior to bcrypt anyway, according to people much smarter than myself. Oh and Argon2 has been around since 2015 and multiple vulnerabilities have been discovered, speeding up brute force/dictionary attacks. Can't say the same for bcrypt On Wed, Sep 6, 2023, 18:52 Tim Düsterhus <t...@bastelstu.be> wrote: > Hi > > On 9/6/23 18:08, Vinicius Dias wrote: > > I was wondering here... Is there any reason for `PASSWORD_DEFAULT`'s > > value not to be `PASSWORD_ARGON2ID`? > > > > To the best of my knowledge Argon2 is not available in a "default" > installation of PHP without including any external dependencies. > > Also Argon2 for settings that are reasonable for interactive > authentication is worse than BCrypt according to: > > https://twitter.com/TerahashCorp/status/1155119064248913920 > and > https://twitter.com/TerahashCorp/status/1155129705034653698 > > Best regards > Tim Düsterhus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > >
