Skip to content

security(auth): replace LthnHash with bcrypt for password hashing #78

New issue
New issue
Open
Open
security(auth): replace LthnHash with bcrypt for password hashing#78
Labels
complexity:mediumLess than 1 daylang:phpPHP/Laravelpriority:criticalDo immediatelytype:securitySecurity related
@Snider

Description

@Snider
Snider
opened on Feb 4, 2026

Parent audit: #38

Finding

LthnHash is not suitable for password hashing. It lacks the computational cost and salting properties required for secure password storage.

Location

  • src/Core/Helpers/ — LthnHash implementation
  • All password hashing call sites across the codebase

Fix

Replace LthnHash usage with password_hash() (bcrypt) for all password hashing. Implement a migration strategy for existing hashed passwords (rehash on next login).

Acceptance Criteria

  • All password hashing uses password_hash() with PASSWORD_BCRYPT or PASSWORD_DEFAULT
  • All password verification uses password_verify()
  • Migration path for existing passwords (rehash on successful login)
  • LthnHash class deprecated or removed
  • No plaintext or weakly-hashed passwords remain in the system

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity:mediumLess than 1 daylang:phpPHP/Laravelpriority:criticalDo immediatelytype:securitySecurity related

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions