1

We are migrating an old website, which used pretty old password hashing to the new php password verify function. The old method used an old hash, and we would like to use password_verify instead of the old method were just a hash and a salt was stored. The old hash algorithm was outdated, so we don't want to convert the old hash to the password_verify structure (which might be possible).

Instead, we will block access and require an user to reset its password before continuing.

Question

Can we set the hash used in password_verify to "" (empty string) to block access to the account?

user23127
  • 203
  • 1
  • 5
  • 2
    This should be secure, however why not simply set a boolean flag in the DB when importing accounts that should be locked out? It'll save you resources hashing the passwords for nothing as well as allow you to display the user a message that their account is locked out and they should reset their password. – André Borie Jan 23 '17 at 10:28

2 Answers2

1

From the pure hashing view, yes, it is secure. The new password verify uses bcrypt or blowfish to encrypt the password, in none of the cases could it be made to an empty string by a tricky password.

However, there are other views which you could consider.

First, security is not only about closing the known attack possibilities, it is also about closing out any currently unknown. This is really hard. Defense is easy against anything what you know.

Second, a secure code should be also easy to understand, to avoid the appearance of secholes by multiple programmers not knowing eachothers work enough well. I would like to mention the remote root ssh sechole from some years ago (although in this case there is a possibility that it was an intended attack).

In my opinion, you would do your task better if you would somehow clearly sign in your database that an account is closed because of the algorithm upgrade, and not on some other reason, and your login / auth code should specifically handle this case. This is what you should do even in the case if it leads to seemingly redundant code.

peterh
  • 2,938
  • 6
  • 25
  • 31
0

My solution for this issue was: You don't need to force user to reset his / her password. Just update your php code to keep updating password with new hash with each login attempt for each user.

Don't remove old hash algorithm to verify. Just verify password with both algorithms. If password is verified with any of these algorithm then let user login but before that check that which algorithm worked for that user. If old algorithm worked to login then that means that this password was created with old hash algorithm so at that stage hash user password with new hash algorithm and update in database.

So this way database would keep updated its passwords automatically with the help of your php code with new hash algorithm.

So at every login event, password would be changed to new hash algorithm automatically and no need to force user to reset their password.

Ayyaz Zafar
  • 97
  • 3