Skip to main content

Password Rehashing in PHP

With PHP 7.2 the newest secure hashing method Argon2 has been coming to PHP. And while it’s still not the default value, we now implemented an upgrade path for our user’s password hashes.

First of all, we need at least PHP 7.2 for this to work, even better would be PHP 7.3 where the improved hashing algorithm Argon2id is available. As PHP 7.3 isn’t easy to upgrade to due to several changes in the code requirements, we implemented a safe way to run an upgrade to Argon2 on any of the systems with the best available algorithm:

public function passwordAlgorithm() {
  return PHP_VERSION_ID < 70300 ? PASSWORD_ARGON2I : PASSWORD_ARGON2ID;
}

With that information we can now use PHP’s native password functions to check if the entered password matches the stored hash, if the stored hash is using the latest algorithm and if not, rehash it to upgrade to a more secure one:

public function passwordRehash ( $password ) : Bool {
  if ( password_verify( $password, $hash ) ) {
    if ( password_needs_rehash( $hash, $this->passwordAlgorithm ) ) {
      $hash = password_hash( $password, $this->passwordAlgorithm );
      return true;
    }
    return false;
  }
}

Note that the code examples here don’t reflect our actual codebase, but are simplified versions of our implementation and for explanatory purpose only.

This means that once a user logs into their Colloq account, we always check whether their password hash can be upgraded to latest standards. In case of any data breach out there, this means our user’s password is a bit more secure, even if it’s re-used throughout other websites as they might not use the same hashing algorithm (yet), and thus, attackers cannot identify the password as the same.


Want to read more articles like this? Subscribe to the category Engineering or the feed for all our articles.