php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #77134 password_needs_rehash will flag a superior password
Submitted: 2018-11-10 05:48 UTC Modified: 2018-11-10 05:57 UTC
From: dsumner at sumone dot ca Assigned:
Status: Not a bug Package: hash related
PHP Version: 7.0.32 OS: all
Private report: No CVE-ID: None
 [2018-11-10 05:48 UTC] dsumner at sumone dot ca
Description:
------------
On my website I am hashing all passwords with a cost of 7 (There is really no great security need). When a user logs on their password is checked with password_needs_rehash and it work well except that I want certain users to have a password with a higher cost than most users. I can generate their hashes quite easily, but when password_needs_rehash sees these "superior" passwords it returns TRUE and the logon logic then automatically downgrades their passwords. 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-10 05:57 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-11-10 05:57 UTC] requinix@php.net
"This function checks to see if the supplied hash implements the algorithm and options provided."
It does not try to decide "superiority".

If you know the hash should be generated with particular options then pass those to password_needs_rehash.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 10 16:03:35 2022 UTC