php - Cakephp 3.0 alpha2 How to compare new password to old passwords? -
okay, testing out cakephp 3.0 alpha2 transferring application(2.5) 3.x. current application has set when reset password cannot change of previous 6 passwords(stored in passwords table connects user_id) security purposes. @ changes in cake 3.0, noticed if create new entity password hashes differently if same password. way compare new password old ones? go using password hasher built in function called check?
cakephp 3 uses bcrypt. in brief: bcrypt uses different salt each password, , stores salt part of password hash. why, you've found, bcrypt generate different hash each time same plain-text password encrypted.
however, if it's of use authentication system, have able check if plain-text password 'fits' given hashed version of password - though there's not 1 single 'correct' hashed version, right? right.
you password_verify
method - http://au2.php.net/password_verify
so, rather hashing plain-text version , seeing if hashed version of new password matches hashed versions of each of past 6 versions, have call password_verify
on plain-text password 6 times - once each of previous hashed passwords, see if there matches.
there's explanation of bcrypt in php here: how use bcrypt hashing passwords in php? i'd recommend reading - once understand how bcrypt treats passwords, problem shouldn't hard solve.
Comments
Post a Comment