Use password_hash() and friends to hash and verify passwords

Previously I rolled my own password hashing function. While it at least
used some sort of salt, it's still a terrible idea.

The newly created class PasswordHash wraps the password_hash() family of
functions but can also check the old password hash format (to distinguish
them, the new password hashes are prefixed with a '!'). In
PasswordHash::needsRehash we then always report an hash of the old format
as being in need of a rehash. That way, these old hashes will be replaced
the next time the user successfully logs in.

1 files changed, 2 insertions, 2 deletions

diff --git a/ratatoeskr/setup/setup.php b/ratatoeskr/setup/setup.php
index 23205b8..c18fff0 100644
--- a/ratatoeskr/setup/setup.php
+++ b/ratatoeskr/setup/setup.php
@@ -1,6 +1,7 @@
 <?php
 
 use r7r\ste;
+use r7r\cms\sys\PasswordHash;
 
 define("SETUP", true);
 
@@ -8,7 +9,6 @@ require_once(dirname(__FILE__) . "/../vendor/autoload.php");
 require_once(dirname(__FILE__) . "/../sys/init_ste.php");
 require_once(dirname(__FILE__) . "/../sys/translation.php");
 require_once(dirname(__FILE__) . "/../sys/db.php");
-require_once(dirname(__FILE__) . "/../sys/pwhash.php");
 require_once(dirname(__FILE__) . "/../languages.php");
 require_once(dirname(__FILE__) . "/create_tables.php");
 
@@ -221,7 +221,7 @@ STYLE;
             $ratatoeskr_settings->save();
 
             $admingrp = Group::create("admins");
-            $admin = user::create($_POST["admin_username"], PasswordHash::create($_POST["admin_init_password"]));
+            $admin = User::create($_POST["admin_username"], PasswordHash::hash($_POST["admin_init_password"]));
             $admin->save();
             $admingrp->include_user($admin);