On Wed, Jan 27, 2021 at 10:27 AM Benjamin Morel <benjamin.mo...@gmail.com>
wrote:
> I just spent some time debugging an authentication issue after upgrading
> PHP, and realized that it was due to ext-sodium not being installed, so
> password_verify() would always return false for argon2i hashes.
>
> Digging a bit more, I realized that password_verify() does not complain if
> the algorithm is unknown, or if the hash string is malformed:
>
> var_export(password_verify('passw0rd', 'any/string%as|a$hash')); //
> false
>
> Shouldn't it throw an exception, or a least trigger a warning, when the
> algorithm is unknown, or the hash is malformed? Returning false IMO, should
> mean "I recognize this hash, but it doesn't match your password". "I don't
> recognize this hash" is an application issue and should be reported.
>
>
+1
Two very different error cases deserve two very different handling modes.
Technically the tools exist to examine a hash and compare it against a
known list of algos, but that's honestly more work that the problem should
require. Matching passwords should be idiot proof.
-Sara
