HomePhabricator

Implement bcrypt hasher, transparent login upgrade, and explicit upgrade for…

Description

Implement bcrypt hasher, transparent login upgrade, and explicit upgrade for passwords

Summary:
Ref T4443.

  • Add a password_hash()-based bcrypt hasher if password_hash() is available.
  • When a user logs in using a password, upgrade their password to the strongest available hash format.
  • On the password settings page:
    • Warn the user if their password uses any algorithm other than the strongest one.
    • Show the algorithm the password uses.
    • Show the best available algorithm.

Test Plan: As an md5 user, viewed password settings page and saw a warning. Logged out. Logged in, got upgraded, no more warning. Changed password, verified database rehash. Logged out, logged in.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4443

Differential Revision: https://secure.phabricator.com/D8270

Event Timeline