(03-06-2017, 07:14 AM)ajturner Wrote: Why am I looking at possible PHP hashers? Is the included functions with PHP enough or do we want to abstract that process like Narf mentioned?
Here's the thing ... If you'd be building a reusable authentication package, it is supposed to handle that on its own, and you knowing how to handle this already is an
essential requirement.
The abstraction I was referring to is tricky to achieve in a reusable manner, because:
- The fact that password verification is so closely tied to your users management logic, and that in turn is almost always tightly coupled to business logic too
- Different storage strategies/database structures
- Legacy hashes
You have neither of those concerns, and while a library like the one I linked may indeed help you in your project, I do maintain that you're into it for the wrong reasons.
You shouldn't be looking for what components to use, but what are the problems at hand and how to solve them. If hashing is one of the problems, and you can't do it without a "hasher library", then I cannot trust you to build an authentication system for others to use.
(03-06-2017, 07:14 AM)ajturner Wrote: 2. PaulD, Narf summed it up pretty well with his response about the example.
I didn't sum up anything. I only demonstrated that PaulD's example was a bad one.
Please note that I started my reply to him with agreeing on principle, and then disagreeing explicitly on the particular example he gave.