From 5e347e4efaa81c2108256dc927208cd55dc10baa Mon Sep 17 00:00:00 2001
From: Laria Carolin Chabowski <laria@laria.me>
Date: Fri, 25 Sep 2020 23:09:31 +0200
Subject: Use password_hash() and friends to hash and verify passwords

Previously I rolled my own password hashing function. While it at least
used some sort of salt, it's still a terrible idea.

The newly created class PasswordHash wraps the password_hash() family of
functions but can also check the old password hash format (to distinguish
them, the new password hashes are prefixed with a '!'). In
PasswordHash::needsRehash we then always report an hash of the old format
as being in need of a rehash. That way, these old hashes will be replaced
the next time the user successfully logs in.
---
 setup.php | 1 -
 1 file changed, 1 deletion(-)

(limited to 'setup.php')

diff --git a/setup.php b/setup.php
index f496dfe..47f2202 100644
--- a/setup.php
+++ b/setup.php
@@ -69,7 +69,6 @@ $files = [
     "/ratatoeskr/sys/pluginpackage.php",
     "/ratatoeskr/sys/db.php",
     "/ratatoeskr/sys/utils.php",
-    "/ratatoeskr/sys/pwhash.php",
     "/ratatoeskr/sys/init_ste.php",
     "/ratatoeskr/sys/models.php",
     "/ratatoeskr/sys/textprocessors.php",
-- 
cgit v1.2.3-54-g00ecf