|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78208 password_needs_rehash() returns false for password hashed with a different algo
Submitted: 2019-06-25 16:11 UTC Modified: 2019-06-25 18:15 UTC
From: thomas dot gerbet at enalean dot com Assigned: pollita (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.4.0alpha1 OS:
Private report: No CVE-ID: None
 [2019-06-25 16:11 UTC] thomas dot gerbet at enalean dot com
password hashed using crypt() with a different algorithm than the one chosen for password_needs_rehash() are not considered as needing to be rehashed.

This behaviour is different than the one of PHP 7.1 to PHP 7.3.

Test script:

var_dump(password_needs_rehash(crypt('Example', '$1$'), PASSWORD_DEFAULT)); // CRYPT_MD5
var_dump(password_needs_rehash(crypt('Example', '$6$rounds=5000$aa$'), PASSWORD_DEFAULT));  // CRYPT_SHA512 with 5000 rounds

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-25 16:21 UTC]
-Status: Open +Status: Verified
 [2019-06-25 16:21 UTC]
Confirmed different behaviour between 7.3 and 7.4
 [2019-06-25 16:21 UTC]
-Status: Verified +Status: Open -Assigned To: +Assigned To: pollita
 [2019-06-25 16:21 UTC]
This was changed as a result of the Password Hashing Registry RFC: algorithms not known to the registry are skipped.

 [2019-06-25 17:41 UTC] thomas dot gerbet at enalean dot com
I also forgot to add that the issue is only triggered when using the PASSWORD_DEFAULT constant, with the PASSWORD_BCRYPT constant we have the expected result.
 [2019-06-25 18:15 UTC]
Confirmed. On it.
 [2019-06-27 23:28 UTC]
Automatic comment on behalf of pollita
Log: Bugfix #78208 Needs rehash with an unknown algo should always return true.
 [2019-06-27 23:28 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Mar 03 17:01:27 2024 UTC