All geek questions in one place

How to use password_needs_rehash function in PHP 5.5

I have a set of passwords in my database that I previously used with sha512, and now that I have upgraded my server to PHP 5.5, I would like to use bcrypt password hashing. So my idea is to log in and then call this password_needs_rehash function described here to verify the password, and then update the password hash in the database:

http://php.net/manual/en/function.password-needs-rehash.php

I'm not sure how to use this function, but there are no examples here, and this does not quite explain why an array of parameters is needed. I just need to call the password_needs_rehash function as follows:

if (password_needs_rehash ($current_hash, PASSWORD_BCRYPT)) { // update the password using password_hash }
+6
source share
3 answers

Yes, this is a general idea.

If you need to rephrase the password, you simply call password_hash() to rephrase it. And of course, save the new hash in your database.

 if (password_needs_rehash ($current_hash, PASSWORD_BCRYPT)) { // update the password using password_hash $new_hash = password_hash($cleartext_password, PASSWORD_BCRYPT) // update the database ... }
+5
source

Yes this is correct. The only option you might want to set is β€œcost,” indicating how much work is required to generate the hash (and therefore how difficult it is to crack). The default cost is 10 for bcrypt, but can be increased to make hashes more difficult to crack. So you can set the β€œcost” here to 11 and use the same value when creating new hashes. The advantage of this is that you can later change it to 12, and it will update existing hashes that were already on bcrypt, but only with a cost of 11.

+2
source

Try the following:

 $passwordFromDatabase = "A1D292F556AA661B720847487960860F17086A0BD11A4320368E9447FF7139DE089AA88B6159420814F10194F1AA55A3379FB80EA26BA6397BA75CEC811B241A"; // sha512 hash of "somepassword" $passwordFromForm = $_POST['password']; // $_POST['password'] == "somepassword" if(password_needs_rehash($passwordFromDatabase, PASSWORD_BCRYPT, ["cost" => 12]) && hash("sha512", $passwordFromForm) === $passwordFromDatabase){ // generate new password hash $newPasswordHash = password_hash($passwordFromForm, PASSWORD_BCRYPT, ["cost" => 12]); // update hash from database - replace old hash $passwordFromDatabase with new hash $newPasswordHash // after update login user if(password_verify($passwordFromForm, $newPasswordHash)){ // user has logged in successful and hash was updated // redirect to user area }else{ // ups something went wrong Exception } }else{ if(password_verify($passwordFromForm, $passwordFromDatabase)){ // user password hash from database is already BCRYPTed no need to rehash // user has logged in successfully // redirect to user area }else{ // wrong password // no access granted - stay where you are } }

Ps. If you are thinking about setting up your salt ... please do not do this. You will not do this better than the password_hash (...) php native function. Just set a price that balances the speed of verification with protection against forced forcing. If you leave the options empty, the default value will be set to 10.

+1
source

Source: https://habr.com/ru/post/954793/

More articles:


All Articles