PHP :: Bug #78208 :: password_needs_rehash() returns false for password hashed with a different algo

Bug #78208	password_needs_rehash() returns false for password hashed with a different algo
Submitted:	2019-06-25 16:11 UTC	Modified:	2019-06-25 18:15 UTC
From:	thomas dot gerbet at enalean dot com	Assigned:	pollita (profile)
Status:	Closed	Package:	*Encryption and hash functions
PHP Version:	7.4.0alpha1	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thomas dot gerbet at enalean dot com
New email:
PHP Version:		OS:

New Comment:

[2019-06-25 16:11 UTC] thomas dot gerbet at enalean dot com

Description:
------------
password hashed using crypt() with a different algorithm than the one chosen for password_needs_rehash() are not considered as needing to be rehashed.

This behaviour is different than the one of PHP 7.1 to PHP 7.3.

Test script:
---------------
<?php

var_dump(password_needs_rehash(crypt('Example', '$1$'), PASSWORD_DEFAULT)); // CRYPT_MD5
var_dump(password_needs_rehash(crypt('Example', '$6$rounds=5000$aa$'), PASSWORD_DEFAULT));  // CRYPT_SHA512 with 5000 rounds

Expected result:
----------------
bool(true)
bool(true)

Actual result:
--------------
bool(false)
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-06-25 16:21 UTC] daverandom@php.net

-Status: Open +Status: Verified

[2019-06-25 16:21 UTC] daverandom@php.net

Confirmed different behaviour between 7.3 and 7.4

https://3v4l.org/njXjM

[2019-06-25 16:21 UTC] requinix@php.net

-Status: Verified +Status: Open -Assigned To: +Assigned To: pollita

[2019-06-25 16:21 UTC] requinix@php.net

This was changed as a result of the Password Hashing Registry RFC: algorithms not known to the registry are skipped.
https://wiki.php.net/rfc/password_registry

@pollita?

[2019-06-25 17:41 UTC] thomas dot gerbet at enalean dot com

I also forgot to add that the issue is only triggered when using the PASSWORD_DEFAULT constant, with the PASSWORD_BCRYPT constant we have the expected result.

https://3v4l.org/Z61hu

[2019-06-25 18:15 UTC] pollita@php.net

Confirmed. On it.

[2019-06-27 23:28 UTC] pollita@php.net

Automatic comment on behalf of pollita
Revision: http://git.php.net/?p=php-src.git;a=commit;h=27f1f3ed1a040a7f20bd9bb16af7bf219f4df97f
Log: Bugfix #78208 Needs rehash with an unknown algo should always return true.

[2019-06-27 23:28 UTC] pollita@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 12:00:01 2025 UTC