php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77134 password_needs_rehash will flag a superior password
Submitted: 2018-11-10 05:48 UTC Modified: 2018-11-10 05:57 UTC
From: dsumner at sumone dot ca Assigned:
Status: Not a bug Package: hash related
PHP Version: 7.0.32 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dsumner at sumone dot ca
New email:
PHP Version: OS:

 

 [2018-11-10 05:48 UTC] dsumner at sumone dot ca 
Description:
------------
On my website I am hashing all passwords with a cost of 7 (There is really no great security need). When a user logs on their password is checked with password_needs_rehash and it work well except that I want certain users to have a password with a higher cost than most users. I can generate their hashes quite easily, but when password_needs_rehash sees these "superior" passwords it returns TRUE and the logon logic then automatically downgrades their passwords.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-10 05:57 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-11-10 05:57 UTC] requinix@php.net 
"This function checks to see if the supplied hash implements the algorithm and options provided."
It does not try to decide "superiority".

If you know the hash should be generated with particular options then pass those to password_needs_rehash.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 19:01:33 2024 UTC