On 03/07/12 18:21, Anthony Ferrara wrote:
>> 2) I'd like to be able to check wether a stored password uses an outdated
> algorithm and update the hash in that case. For that I'd need either a
> function to extract the salt from a hash to pass it to password_hash() and
> compare the result with the old hash. Or preferably a separate function
> password_hash_outdated($hash) => bool or something similar. Or maybe
> someone can come up with yet a better solution for this.
>
> Well... I don't know about that. Outdated is a very odd concept here.
> Perhaps, a password_hash_get_algo($hash) call would suffice. That way, you
> could do if (PASSWORD_BCRYPT == password_get_hash_algo($hash)) { //upgrade
> hash }. Or even if (PASSWORD_DEFAULT != password_get_hash_algo($hash))...
What about:
> /bool password_rehash(string &$hash, string $password, int $flags, int
> $algo, array $options = array())/
With /$flags allowing the values: //PASWORD_REHASH_ALWAYS,
//PASWORD_REHASH_IF_WEAKER/, ///PASWORD_REHASH_NEW_SALT/
(I thought about having $flags inside $options, but seems better to have
it explicit)
The return value is true iif $hash has been changed
/
The usage would be like:
//$hash = //database select password from user where username =$user;
if (//password_verify($password, $hash)) {
if (//password_rehash($hash, $password,
////PASWORD_REHASH_IF_WEAKER,/PASSWORD_MOST_SECURE/)//) {
database update user set password=$hash where username=//$user;/
/ }
// User is logged in
}
/////
