Bug #47725

BCrypt hashing should support migration of older costs

Added by Christopher Hlubek about 8 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Could have
Category:
Security
Start date:
2013-04-30
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

In the current implementation of the BCryptHashingStrategy a password is hashed with crypt and the hash contains the algorithm and parameters with the salt that was used to hash the password.

During validation only the salt is taken from the hashed password, so the cost parameter has to match the original cost. This is very problematic if the cost needs to be changed during the lifetime of a project. A high cost means slow logins but more securely hashed passwords.

The hashing strategy should be able to validate an existing hash with a different cost for migration of password hashes and updates to the cost parameter during the lifetime of a project (with hardware improvements the hashing will always get cheaper during time).

#1

Updated by Gerrit Code Review about 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/20349

#2

Updated by Robert Lemke about 8 years ago

  • Priority changed from Should have to Could have
  • Target version set to 2.0
#3

Updated by Karsten Dambekalns almost 8 years ago

  • Target version changed from 2.0 to 2.0.1
#4

Updated by Gerrit Code Review over 7 years ago

Patch set 1 for branch 2.0 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/27199

#5

Updated by Christopher Hlubek almost 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF