On Thu, Apr 22, 2021 at 3:20 AM Claude Pache <claude.pa...@gmail.com> wrote: > Also, the warning message you introduced contains “... this hash should be regenerated using ...”. > There is already a dedicated function for conveying that information in a coder-friendly way, > namely `password_needs_rehash()`: let’s use that (it implies that the default algorithm should be changed). >
Negative. There's no way for password_needs_rehash() to know that the original password contained a null byte. 1/ Because the original password isn't sent to password_needs_rehash, only the generated hash 2/ Because even if you could derive what password was used to generate the hash, there's no way to tell if it was "foo" or "foo\0bar", they would both generate the same hash (given the same salt) -Sara
