Password_needs_rehash

Hello PHP friends,

today i decided to work on my login scripts. I am a beginner and i just learned how to create a database and use pdo prepared statements this year. My database login is very simple for testing. Thus, i wanted to add a password hash for storing passwords in the database. My code is working but i have questions about the password_needs_rehash function.

my code to hash:

$Hash = password_hash($password, PASSWORD_BCRYPT);

code to compare hashes at login:

if ($username == $userField && password_verify($password, $passField)) {

I see that people use PASSWORD_DEFAULT but i don’t understand how this option is stored. What i mean is that if a new version of PHP changed the default algorithm, then how is PHP supposed to know what it was before? is that in the ini file? should i use PASSWORD_DEFAULT or should i specify an algorithm?

I ask this because I do not know how to implement password_needs_rehash. I don’t really know if i could increase the cost because i don’t have a server yet. I’m still designing my site. Thus, what is the correct way to implement a password_needs_rehash?

Its actually in the password hash itself

[quote]
The prefix “$2a$” or “$2b$” (or “$2y$”) in a hash string in a file indicates that hash string is a bcrypt hash in modular crypt format. The rest of the hash string includes the cost parameter, a 128-bit salt encoded as 22 characters, and 184 bits of the resulting hash value. The Radix-64 encoding uses the unix/crypt alphabet, and is not ‘standard’. The cost parameter specifies a key expansion iteration count as a power of two, which is an input to the crypt algorithm.

For example, the shadow password record $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy specifies a cost parameter of 10, indicating 10 key expansion rounds. The salt is N9qo8uLOickgx2ZMRZoMye and the resulting hash is IjZAgcfl7p92ldGxad68LJZdL17lhWy .[/quote]https://en.m.wikipedia.org/wiki/Bcrypt

you should ideally use password default in combination with password needs rehash to future proof.

on mobile now so have to keep it short. but you basically just
after successful login (password verify ok)
check of the HASH stored in the db needs rehash
if it does, run password hash with the plain text password that was submitted on login and password default
then store the new hash in the db
thats all

1 Like

Thank you, Jim. Very informative post. I understand this concept now. because of your post.
:slight_smile:

Sponsor our Newsletter | Privacy Policy | Terms of Service