php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77134 password_needs_rehash will flag a superior password
Submitted: 2018-11-10 05:48 UTC Modified: 2018-11-10 05:57 UTC
From: dsumner at sumone dot ca Assigned:
Status: Not a bug Package: hash related
PHP Version: 7.0.32 OS: all
Private report: No CVE-ID: None
 [2018-11-10 05:48 UTC] dsumner at sumone dot ca
Description:
------------
On my website I am hashing all passwords with a cost of 7 (There is really no great security need). When a user logs on their password is checked with password_needs_rehash and it work well except that I want certain users to have a password with a higher cost than most users. I can generate their hashes quite easily, but when password_needs_rehash sees these "superior" passwords it returns TRUE and the logon logic then automatically downgrades their passwords. 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-10 05:57 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-11-10 05:57 UTC] requinix@php.net
"This function checks to see if the supplied hash implements the algorithm and options provided."
It does not try to decide "superiority".

If you know the hash should be generated with particular options then pass those to password_needs_rehash.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC