Page MenuHomePhabricator
Differential D8271

Allow hashers to side-grade hashes across cost settings
ClosedPublic
Actions

Authored by epriestley on Feb 18 2014, 7:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 1:19 AM
Unknown Object (File)
Wed, Nov 20, 10:23 AM
Unknown Object (File)
Mon, Nov 4, 4:45 PM
Unknown Object (File)
Oct 25 2024, 6:18 PM
Unknown Object (File)
Oct 23 2024, 8:50 PM
Unknown Object (File)
Oct 17 2024, 5:18 AM
Unknown Object (File)
Oct 12 2024, 11:40 AM
Unknown Object (File)
Oct 8 2024, 12:39 AM
View All Files
Subscribers
aran

Details

Reviewers
btrahan
Maniphest Tasks
T4443: Use bcrypt / password_hash() to hash passwords if available
Commits
Restricted Diffusion Commit
rP5c84aac9089a: Allow hashers to side-grade hashes across cost settings
Summary

Ref T4443. In addition to performing upgrades from, e.g., md5 -> bcrypt, also allow sidegrades from, e.g., bcrypt(cost=11) to bcrypt(cost=12). This allows us to, for example, bump the cost function every 18 months and stay on par with Moore's law, on average.

I'm also allowing "upgrades" which technically reduce cost, but this seems like the right thing to do (i.e., generally migrate password storage so it's all uniform, on average).

Test Plan
  • Fiddled the bcrypt cost function and saw appropriate upgrade UI, and upgraded passwords upon password change.
  • Passwords still worked.
  • Around cost=13 or 14 things start getting noticibly slow, so bcrypt does actually work. Such wow.

Diff Detail

Lint
Lint Skipped
Unit
Tests Skipped

Revision Contents
Changeset List

PathSize
src/
infrastructure/
util/
password/
29 lines
32 lines

Diff 19683

View Options

src/infrastructure/util/password/PhabricatorBcryptPasswordHasher.php

Loading...
View Options

src/infrastructure/util/password/PhabricatorPasswordHasher.php

Loading...
Phabricator · Built by Phacility