password_needs_rehash

(PHP 5 >= 5.5.0)

password_needs_rehashVérifie si la table de hachage fournie correspond aux options fournies

Description

boolean password_needs_rehash ( string $hash , integer $algo [, array $options ] )

Cette fonction vérifie si la table de hachage fournie implémente l'algorithme et les options fournis. Si ce n'est pas le cas, il est supposé que la table de hachage doit être re-généré.

Liste de paramètres

hash

Un hachage créé par la fonction password_hash().

algo

Une constantes de l'algorithme de mot de passe représentant l'algorithme à utiliser lors du hachage du mot de passe.

options

Un tableau associatif contenant les options. Voir aussi les constantes de l'algorithme de mot de passe pour une documentation sur les options supportées pour chaque algorithme.

Valeurs de retour

Retourne TRUE si la table de hachage doit être re-générée pour correspondre aux paramètres algo et options fournis, ou FALSE sinon.

add a note add a note

User Contributed Notes 2 notes

up
17
nick at nickstallman dot net
9 months ago
ydroneaud this would be used on a login page, not at any other time.

So if you have a site with MD5 passwords for example, and wish to upgrade to SHA256 for additional security you would put this check in the login script.

This function will take a user's hash and say if it is SHA256, if it isn't then you can take the user's password which you still have as plaintext and rehash it as SHA256.

This lets you gradually update the hashes in your database without disrupting any features or resetting passwords.
up
1
ydroneaud at opteya dot com
10 months ago
According to the documentation, it's checking if the given hashed password string is compatible with the provided algorithm (and options, but not salt), eg. it's checking if the hashed password string was generated with the provided algorithm (and options, but not salt).

There's nothing to 'rehash' in its parameters ... especially not the already hashed password string, and the password "stored" in the hashed password string is not supposed to be known, it's not in clear, it's a secret.

The name of the function seems misleading, this function should have been called "password_hash_compatible()" instead.

This function could be use to check if a password database/a hashed password string (hashed by function "password_hash()") need to be upgraded to a stronger password hashing/storage scheme: if the function returns false,  a new password will have to be set for the user, hashed with the new, stronger, algorithm/options.

One should carefully think before using this function to support multiple algorithms/options in one database, eg. support "legacy scheme" passwords + "new scheme" ...
To Top