Last active
August 29, 2015 13:56
-
-
Save meadsteve/9268850 to your computer and use it in GitHub Desktop.
using password_needs_rehash()
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$stevesSecret = "pass123"; | |
$hashOne = password_hash($stevesSecret, PASSWORD_BCRYPT, array("cost" => 4)); | |
$hashTwo = password_hash($stevesSecret, PASSWORD_BCRYPT, array("cost" => 12)); | |
echo $hashOne . PHP_EOL; | |
echo $hashTwo . PHP_EOL; | |
assert('$hashOne != $hashTwo', "The two hashes should be different"); | |
// password_hash() returns a value made up $algorithm$work$hash | |
$hashOneParts = explode('$', $hashOne); | |
$hashTwoParts = explode('$', $hashTwo); | |
assert('$hashOneParts[1] === $hashTwoParts[1]', "The two hashes should use the same algorithm"); | |
assert('$hashOneParts[2] !== $hashTwoParts[2]', "The two hashes have different costs"); | |
assert('$hashOneParts[3] !== $hashTwoParts[3]', "The actual hashes should be different"); | |
// Note neither of the two calls below reference the algo or the cost | |
$algoOneLetsSteveIn = password_verify($stevesSecret, $hashOne); | |
$algoTwoLetsSteveIn = password_verify($stevesSecret, $hashTwo); | |
assert('$algoOneLetsSteveIn === true', "hash one is valid"); | |
assert('$algoTwoLetsSteveIn === true', "hash two is valid"); | |
// But hash one would need rehashing | |
if (password_needs_rehash($hashOne, PASSWORD_BCRYPT, array("cost" => 12))) { | |
echo "hash one does NOT use bcrypt with a cost of 12. Maybe you should rehash the password?" . PHP_EOL; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment