So I'm using the new PHP 5.5 Password Hashing API, and I'm not sure if I got this correctly.
I've tried automatically rehashing every login and sometimes I fail, even when the hashing turns out to be the same anyways, I feel like I'm doing something wrong.
It could be the query function that I probably got wrong, because the hashes don't even change when I check phpMyAdmin.
if (password_needs_rehash($result_row->user_password_hash, PASSWORD_DEFAULT))
{
$newhash = password_hash(
$_POST['user_password'], PASSWORD_BCRYPT,
['cost' => 12, 'salt' => 'superfreakingsonicdude',]
);
// update hash in database
$this->connection->query(
"UPDATE users SET user_password_hash='" . $newhash .
"' WHERE user_name='".$result_row->user_name."'"
);
}
The funcion password_needs_rehash
has been introduced to check if you need to upgrade:
password_needs_rehash($result_row->user_password_hash, PASSWORD_DEFAULT)
This function checks to see if the supplied hash implements the algorithm and options provided. If not, it is assumed that the hash needs to be rehashed.
If you have problems to understand what this function does, the RFC contains the function in PHP code. So if you can read PHP code, you should be able to read the following (see the part introduced as It could be implemented in user-land by: ): https://wiki.php.net/rfc/password_hash#password_needs_rehash
Makes sense to test if the hash in the database (store) is of the same algorithm as in PASSWORD_DEFAULT
or not. That means to check if PASSWORD_DEFAULT
has been changed between the time the hash has been stored last time and now.
Right now PASSWORD_DEFAULT
is PASSWORD_BCRYPT
so it should always return false. In your case it returns true, because you're testing without your password options.
Change that and you should be fine:
$options = ['cost' => 12, 'salt' => 'superfreakingsonicdude',];
########
if (password_needs_rehash($result_row->user_password_hash, PASSWORD_DEFAULT, $options))
########
{
$newhash = password_hash($_POST['user_password'], PASSWORD_DEFAULT, $options);
################ ########
// update hash in database
$this->connection->query(
"UPDATE users SET user_password_hash='" . $newhash .
"' WHERE user_name='".$result_row->user_name."'"
);
}
Also consider to continue to use PASSWORD_DEFAULT
if you want to benefit from a default hashing algo update in PHP core.
The input to the hash is the password and salt. Same password, same salt, same result.
If you leave the salt
parameter out, a random salt will be generated each time and you should get a different result. You should not provide a static salt. This means all users have the same salt, which greatly diminishes its effectiveness. Each individual hash
needs
should have a random salt.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.