Since you mentioned the fractal post, you should at least read my reply to it. http://blog.ircmaxell.com/2012/04/php-sucks-but-i-like-it.html I think you miss a very key point, that sucking matters for shit when you're able to get stuff done with it. Additionally, saying nothing has changed is a bit of a ruse. Follow the internals lists, and watch what's been happening in newer releases, and you'll see that lots has been changing. Overall, just another FUD article. Sigh...

Very good post! I wrote almost the same post on my blog last year: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html One point though. Cryptographic hashes are supposed to be fast, not slow. The faster the hash, the better in that it is faster to verify the message. Otherwise, we'd be using iterated hash functions for signing data, which we're not. The primary defense against brute forcing is not the speed, but the shear size of the output space (which is why most modern hash algorithms are 256 bit or better). The speed of the function is seen as an advantage because it lets you quickly tell the validity of the message. Now, for password hashing, this speed is a negative since it's very fast to brute force an entire search space (relative to documents). And that's why iterated password hashing algorithms (such as scrypt, bcrypt and pbkdf2) exist. To make the fast hashing function slower for its uses... Otherwise, very well said... Anthony