password_hash
According to the documentation, it's checking if the given hashed password string is compatible with the provided algorithm (and options, but not salt), eg. it's checking if the hashed password string was generated with the provided algorithm (and options, but not salt).
There's nothing to 'rehash' in its parameters ... especially not the already hashed password string, and the password "stored" in the hashed password string is not supposed to be known, it's not in clear, it's a secret.
The name of the function seems misleading, this function should have been called "password_hash_compatible()" instead.
This function could be use to check if a password database/a hashed password string (hashed by function "password_hash()") need to be upgraded to a stronger password hashing/storage scheme: if the function returns false, a new password will have to be set for the user, hashed with the new, stronger, algorithm/options.
One should carefully think before using this function to support multiple algorithms/options in one database, eg. support "legacy scheme" passwords + "new scheme" ...
password_needs_rehash
(PHP 5 >= 5.5.0)
password_needs_rehash — Checks if the given hash matches the given options
Description
boolean password_needs_rehash
( string
$hash
, string $algo
[, string $options
] )This function checks to see if the supplied hash implements the algorithm and options provided. If not, it is assumed that the hash needs to be rehashed.
Parameters
-
hash -
A hash created by password_hash().
-
algo -
A password algorithm constant denoting the algorithm to use when hashing the password.
-
options -
An associative array containing options. See the password algorithm constants for documentation on the supported options for each algorithm.
Return Values
Returns TRUE if the hash should be rehashed to match the given
algo and options, or FALSE
otherwise.
add a note
User Contributed Notes
password_needs_rehash - [1 notes]
ydroneaud at opteya dot com ¶
10 days ago