Closed LordMonoxide closed 4 years ago
A simple needsRehash(owd)
method will not work - one has to provide at least the same cost factors as for the hash
method. A naive approach could be as follows:
false
if all actual factors are greater than or equal to their expected counterparts.true
if one of the actual factors is less than its expected counterpart.This approach is not compatible with PHP but avoids that an hash with stronger parameters then expected is considered weaken. In PHP all actual and expected factors must be equal.
@sephiroth-j added a needsRehash
method. Thank you vermy much! This will be part of the next released version.
As time goes on you may need to increase your hashing parameters. Old hashes you still have stored should be rehashed at this point, but can only be rehashed when the original password is available. Consider something like this: