Closed harikt closed 9 years ago
Hey @harikt, happy new year to you also, and thanks for this!
One question: why PASSWORD_BCRYPT
and not PASSWORD_DEFAULT
— they are equivalent now, but the latter gives forward compatible security while the former does not. If there is a vulnerability found in bcrypt (or it otherwise becomes useless) and it is replaced as the default, then with PASSWORD_DEFAULT
new hashes will automatically use the more secure option.
Also, does Aura.Auth handle rehashing if the algorithm/options change?
Hey @dshafik ,
Ok. Thanks. I can make use of PASSWORD_DEFAULT
. But one question, what will happen if the algorithm is changed from BCRYPT to a different one say X. I assume the hashing of both are different and may be the verify has the functionality to detect the old algorithm used and change it ?
Does Aura.Auth handle rehashing if the algorithm/options change?
No. It does not deal inserting / updating data. Probably it should need that I think. Still on the beta's. So suggestions welcome :-) .
I have opened an issue at https://github.com/auraphp/Aura.Auth/issues/62 . So we can implement it if Paul agrees with the same.
@harikt the resulting hash from password_hash()
contains the algorithm used, so password_verify()
will use bcrypt or whichever else is next. See the first part of this post
As for rehashing, ext/password
provides a password_needs_rehash()
function which takes a hash and then the same arguments as password_hash()
(hash, e.g. PASSWORD_DEFAULT
and options['cost']
) and will tell you if it meets the settings and return a boolean.
If it returns false, you should rehash and re-store (this is done at login when you have the users plaintext password for verification and rehashing)
For an example of what this looks like see the last section of the PHP example
@dshafik Thank you .
I have used password_needs_rehash
, but the only doubt I was having was how the inner working of the algorithm detecting the old algorithm and making use of the new algorithm. But your post to Password Security Part 3: The Anatomy of a Hash
will help me to understand more.
Why aura have removed the password_need_hash is for auth wasn't dealing with creating password_hash
, so is not aware of the options that are passed.
I think it will be a nice feature to implement, provided Paul agrees to it.
Thanks!
Hi @dshafik ,
Happy New Year to all :-) .
I have added an example of authenticating users via Aura.Auth a standalone library. I believe this library may help people someone who is struggling to make use of a good authentication library.
@pmjones pinging you here if you like to verify and make any corrections.
Thank you
/ cc @dflydev