Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds legacySalt argument to PasswordValidatorInterface #6

Merged
merged 8 commits into from
May 14, 2014
Merged

Adds legacySalt argument to PasswordValidatorInterface #6

merged 8 commits into from
May 14, 2014

Conversation

jeremykendall
Copy link
Owner

Allows using salts with the UpgradeValidator. Inspired by @karptonite's Rehashing Password Hashes blog post.

Jeremy Kendall and others added 5 commits May 13, 2014 11:51
Example/proof-of-concept of @karptonite's "Rehashing Password Hashes"
63e5cdf 
See Daniel Karp's comment here: http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/#comment-1382769545
and his blog post here: http://karptonite.com/2014/05/11/rehashing-password-hashes/
@jeremykendall
Adds ability to pass a salt into PasswordValidatorInterface::isValid
fdb8802 
Salt might be necessary in the UpgradeValidator.
@jeremykendall
Fixes a bug that always set $legacySalt = null
85e0f50
@jeremykendall
Corrected example/proof-of-concept of @karptonite's "Rehashing Passwo…
f304854 
…rd Hashes"

Now with salty goodness!

See Daniel Karp's comment here: http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/#comment-1382769545
and his blog post here: http://karptonite.com/2014/05/11/rehashing-password-hashes/
@jeremykendall
Documentation tweaks, DRYs up test a bit
09429e6
@jeremykendall
Copy link
Owner Author

@karptonite You were right on all counts. I must have taken stupid pills with my coffee this morning, I swear.

You definitely need the salt--there is no way to reproduce the legacyHash (which becomes the new password) unless you have the original salt, unless the legacy system hashes the password without salt.

This is what I've come up with, adding the ability to pass salts to PasswordValidatorInterface::isValid, and here's a sample implementation of the $validatorCallback that takes salts into account.

jeremykendall added a commit that referenced this pull request May 14, 2014
@jeremykendall
Merge pull request #6 from jeremykendall/example/daniel-karps-rehash-…
52cd57f 
…upgrade-scenario

Adds legacySalt argument to PasswordValidatorInterface
@jeremykendall jeremykendall merged commit 52cd57f into develop May 14, 2014
@jeremykendall jeremykendall deleted the example/daniel-karps-rehash-upgrade-scenario branch May 14, 2014 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jeremykendall @karptonite