From 5e347e4efaa81c2108256dc927208cd55dc10baa Mon Sep 17 00:00:00 2001
From: Laria Carolin Chabowski <laria@laria.me>
Date: Fri, 25 Sep 2020 23:09:31 +0200
Subject: Use password_hash() and friends to hash and verify passwords

Previously I rolled my own password hashing function. While it at least
used some sort of salt, it's still a terrible idea.

The newly created class PasswordHash wraps the password_hash() family of
functions but can also check the old password hash format (to distinguish
them, the new password hashes are prefixed with a '!'). In
PasswordHash::needsRehash we then always report an hash of the old format
as being in need of a rehash. That way, these old hashes will be replaced
the next time the user successfully logs in.
---
 ratatoeskr/sys/models.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ratatoeskr/sys/models.php')

diff --git a/ratatoeskr/sys/models.php b/ratatoeskr/sys/models.php
index b820e6f..1b196d6 100644
--- a/ratatoeskr/sys/models.php
+++ b/ratatoeskr/sys/models.php
@@ -253,7 +253,7 @@ class User extends BySQLRowEnabled
      * Variables: Public class properties
      *
      * $username - The username.
-     * $pwhash   - <PasswordHash> of the password.
+     * $pwhash   - Hash of the password.
      * $mail     - E-Mail-address.
      * $fullname - The full name of the user.
      * $language - Users language
@@ -270,7 +270,7 @@ class User extends BySQLRowEnabled
      *
      * Parameters:
      *  $username - The username
-     *  $pwhash   - <PasswordHash> of the password
+     *  $pwhash   - Hash of the password
      *
      * Returns:
      *  An User object
-- 
cgit v1.2.3-70-g09d2