Implement bcrypt hasher, transparent login upgrade, and explicit upgrade for…
580bcd0d2be4
Actions

Authored by epriestley <git@epriestley.com> on Feb 18 2014, 20:03.

Description

Implement bcrypt hasher, transparent login upgrade, and explicit upgrade for passwords

Summary:
Ref T4443.

Add a password_hash()-based bcrypt hasher if password_hash() is available.
When a user logs in using a password, upgrade their password to the strongest available hash format.
On the password settings page:
- Warn the user if their password uses any algorithm other than the strongest one.
- Show the algorithm the password uses.
- Show the best available algorithm.

Test Plan: As an md5 user, viewed password settings page and saw a warning. Logged out. Logged in, got upgraded, no more warning. Changed password, verified database rehash. Logged out, logged in.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4443

Differential Revision: https://secure.phabricator.com/D8270

Details

Committed

epriestley <git@epriestley.com>

Feb 18 2014, 23:09

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH5778627e414c: Provide more storage space for password hashes and migrate existing hashes to…

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH580bcd0d2be4: Implement bcrypt hasher, transparent login upgrade, and explicit upgrade for… (authored by epriestley <git@epriestley.com>).Feb 18 2014, 23:09

Changes (6)

				Path
	M			src/__phutil_library_map__.php
	M			src/applications/auth/provider/PhabricatorAuthProviderPassword.php
	M			src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
	A			src/infrastructure/util/password/PhabricatorBcryptPasswordHasher.php
	M			src/infrastructure/util/password/PhabricatorIteratedMD5PasswordHasher.php
	M			src/infrastructure/util/password/PhabricatorPasswordHasher.php