PHP :: Request #77134 :: password_needs_rehash will flag a superior password

Request #77134	password_needs_rehash will flag a superior password
Submitted:	2018-11-10 05:48 UTC	Modified:	2018-11-10 05:57 UTC
From:	dsumner at sumone dot ca	Assigned:
Status:	Not a bug	Package:	hash related
PHP Version:	7.0.32	OS:	all
Private report:	No	CVE-ID:	None

View Developer Edit

[2018-11-10 05:48 UTC] dsumner at sumone dot ca

Description:
------------
On my website I am hashing all passwords with a cost of 7 (There is really no great security need). When a user logs on their password is checked with password_needs_rehash and it work well except that I want certain users to have a password with a higher cost than most users. I can generate their hashes quite easily, but when password_needs_rehash sees these "superior" passwords it returns TRUE and the logon logic then automatically downgrades their passwords.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-11-10 05:57 UTC] requinix@php.net

-Status: Open +Status: Not a bug

[2018-11-10 05:57 UTC] requinix@php.net

"This function checks to see if the supplied hash implements the algorithm and options provided."
It does not try to decide "superiority".

If you know the hash should be generated with particular options then pass those to password_needs_rehash.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 19:01:28 2025 UTC