php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #77134 password_needs_rehash will flag a superior password
Submitted: 2018-11-10 05:48 UTC Modified: 2018-11-10 05:57 UTC
From: dsumner at sumone dot ca Assigned:
Status: Not a bug Package: hash related
PHP Version: 7.0.32 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dsumner at sumone dot ca
New email:
PHP Version: OS:

 

 [2018-11-10 05:48 UTC] dsumner at sumone dot ca 
Description:
------------
On my website I am hashing all passwords with a cost of 7 (There is really no great security need). When a user logs on their password is checked with password_needs_rehash and it work well except that I want certain users to have a password with a higher cost than most users. I can generate their hashes quite easily, but when password_needs_rehash sees these "superior" passwords it returns TRUE and the logon logic then automatically downgrades their passwords.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-10 05:57 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-11-10 05:57 UTC] requinix@php.net 
"This function checks to see if the supplied hash implements the algorithm and options provided."
It does not try to decide "superiority".

If you know the hash should be generated with particular options then pass those to password_needs_rehash.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 18:01:28 2024 UTC