Page MenuHomePhabricator
Differential D8271

Allow hashers to side-grade hashes across cost settings
ClosedPublic
Actions

Authored by epriestley on Feb 18 2014, 7:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, May 8, 1:11 AM
Unknown Object (File)
Fri, May 2, 8:15 AM
Unknown Object (File)
Tue, Apr 22, 9:24 PM
Unknown Object (File)
Tue, Apr 15, 6:20 PM
Unknown Object (File)
Tue, Apr 15, 7:46 AM
Unknown Object (File)
Tue, Apr 15, 7:33 AM
Unknown Object (File)
Mon, Apr 14, 7:41 PM
Unknown Object (File)
Apr 12 2025, 11:58 PM
View All Files
Subscribers
aran

Details

Reviewers
btrahan
Maniphest Tasks
T4443: Use bcrypt / password_hash() to hash passwords if available
Commits
Restricted Diffusion Commit
rP5c84aac9089a: Allow hashers to side-grade hashes across cost settings
Summary

Ref T4443. In addition to performing upgrades from, e.g., md5 -> bcrypt, also allow sidegrades from, e.g., bcrypt(cost=11) to bcrypt(cost=12). This allows us to, for example, bump the cost function every 18 months and stay on par with Moore's law, on average.

I'm also allowing "upgrades" which technically reduce cost, but this seems like the right thing to do (i.e., generally migrate password storage so it's all uniform, on average).

Test Plan
  • Fiddled the bcrypt cost function and saw appropriate upgrade UI, and upgraded passwords upon password change.
  • Passwords still worked.
  • Around cost=13 or 14 things start getting noticibly slow, so bcrypt does actually work. Such wow.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Revision Contents
Changeset List

PathSize
src/
infrastructure/
util/
password/
29 lines
32 lines

Diff 19683

View Options

src/infrastructure/util/password/PhabricatorBcryptPasswordHasher.php

Loading...
View Options

src/infrastructure/util/password/PhabricatorPasswordHasher.php

Loading...
Phabricator · Built by Phacility