Version 4.0

[azjezz]

NOTE THIS PR CONTAINS HUGE BC BREAKS

• Add PasswordHasherInterface and default PasswordHasher implementation

  • Add ability to modify the hashing algorithm
  • Add ability to change hashing options
  • Add ability to use different hashing methods ( not recommended )

• More Test

  • Test PasswordHasher implementation
  • Test Null-Byte Truncation
  • Test Key rotation

• Set minimum PHP version to 7.1

• Remove legacy support

• fixes No opportunity given to change cost of password_hash function #10

• refactor methods name for cleaner interface lock/check is cleaner and easier to type than hashAndEncrypt/decryptAndVerify

• pass the key as a constructor argument ( you don't have to keep moving the key around the application )

example :

<?php

use Defuse\Crypto\Key;
use ParagonIE\PasswordLock\{
    PasswordLock,
    Hasher\PasswordHasher
};

// use Argon2I algorithm instead of Bcrypt
$hasher = new PasswordHasher(PASSWORD_ARGON2I, [
    'memory_cost' => 2048
]);

$key = Key::createNewRandomKey();

$password = new PasswordLock($key, $hasher);

$storeMe = $password->lock('password');

assert( $password->check('password', $storeMe) );

[azjezz]

cc @paragonie-scott

[paragonie-scott]

Wow, awesome. I'll check this out over the weekend. At a glance, it looks like a heck of an improvement though. 👍

[azjezz]

@paragonie-scott great!

[azjezz]

@paragonie-scott if this is too much of a BC break; i suggest deprecating this library for a new paragonie/locker library and :

• refactor namespace from ParagonIE\PasswordLock to ParagonIE\Locker
• refactor class name from PasswordLock to PasswordLocker

i have made a ParagonIE\Locker branch, you can take a look at it here.

[rjindael]

Hi, it's been 2 years (almost 3.) Will this PR ever be merged, or will there be a new library due to backward incompatibility?

@paragonie-scott