This is very interesting. It's the first time I see recommendations pro Bcrypt and against Argon2. Even Owasp recommends Argon2 over Bcrypt [1].
I am not a cryptography expert so I believe that if there is a discussion of which one is better PHP shouldn't change things for now, so that totally answers the question of why the default is still bcrypt. Thank you both for replying. [1] https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html Vinicius Dias, Zend Certified Engineer, iMasters PHP Certified Professional Em qua., 6 de set. de 2023 às 16:25, Hans Henrik Bergan <divinit...@gmail.com> escreveu: > > Argon2 is opt-in, not opt-out, at compile-time, so then we would have to > agree on it being acceptable for PASSWORD_DEFAULT to have different values > depending on compile-time options, maybe thats completely fine, or maybe it > isn't, idk. > > But as Dusterhus points out, Argon2 is inferior to bcrypt anyway, according > to people much smarter than myself. > > Oh and Argon2 has been around since 2015 and multiple vulnerabilities have > been discovered, speeding up brute force/dictionary attacks. Can't say the > same for bcrypt > > On Wed, Sep 6, 2023, 18:52 Tim Düsterhus <t...@bastelstu.be> wrote: >> >> Hi >> >> On 9/6/23 18:08, Vinicius Dias wrote: >> > I was wondering here... Is there any reason for `PASSWORD_DEFAULT`'s >> > value not to be `PASSWORD_ARGON2ID`? >> > >> >> To the best of my knowledge Argon2 is not available in a "default" >> installation of PHP without including any external dependencies. >> >> Also Argon2 for settings that are reasonable for interactive >> authentication is worse than BCrypt according to: >> >> https://twitter.com/TerahashCorp/status/1155119064248913920 >> and >> https://twitter.com/TerahashCorp/status/1155129705034653698 >> >> Best regards >> Tim Düsterhus >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: https://www.php.net/unsub.php >> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
