Allow hashers to side-grade hashes across cost settings
ClosedPublic
Actions

Authored by epriestley on Feb 18 2014, 7:57 PM.

Tags

None

Referenced Files

	F19129073: D8271.diff
	Wed, Dec 10, 4:23 AM

	F19102739: D8271.diff
	Fri, Dec 5, 7:43 AM

	F19097408: D8271.id19683.diff
	Thu, Dec 4, 1:19 PM

	F19097407: D8271.id19678.diff
	Thu, Dec 4, 1:19 PM

	F19097406: D8271.id.diff
	Thu, Dec 4, 1:19 PM

	F19059743: D8271.id.diff
	Sat, Nov 29, 6:43 AM

	F19056219: D8271.diff
	Fri, Nov 28, 7:12 PM

	F18967334: D8271.diff
	Nov 14 2025, 8:45 PM

View All Files

Subscribers

aran

Details

Reviewers

btrahan

Maniphest Tasks

T4443: Use bcrypt / password_hash() to hash passwords if available

Commits

Restricted Diffusion Commit
rP5c84aac9089a: Allow hashers to side-grade hashes across cost settings

Summary

Ref T4443. In addition to performing upgrades from, e.g., md5 -> bcrypt, also allow sidegrades from, e.g., bcrypt(cost=11) to bcrypt(cost=12). This allows us to, for example, bump the cost function every 18 months and stay on par with Moore's law, on average.

I'm also allowing "upgrades" which technically reduce cost, but this seems like the right thing to do (i.e., generally migrate password storage so it's all uniform, on average).

Test Plan

Fiddled the bcrypt cost function and saw appropriate upgrade UI, and upgraded passwords upon password change.
Passwords still worked.
Around cost=13 or 14 things start getting noticibly slow, so bcrypt does actually work. Such wow.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

btrahan accepted this revision.Feb 18 2014, 8:12 PM

Closed by commit rP5c84aac9089a (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

infrastructure/

util/

password/

PhabricatorBcryptPasswordHasher.php

29 lines

PhabricatorPasswordHasher.php

32 lines

Diff 19683

View Options

src/infrastructure/util/password/PhabricatorBcryptPasswordHasher.php