needRehash function to check if password parameters are up to date

Question

needRehash function to check if password parameters are up to date

realkarmakun opened this issue 2 years ago · 4 comments

Is your feature request related to a problem? Please describe.
Would like to check if hash actually need rehashing before wasting resources on recalculating it

Describe the solution you'd like
A needRehash method returning boolean (perhaps on HashChecker object) that shows if parameters are up to date without necessarily calling HashChecker#update.
I'm guessing that in current state, calling this method on hash with same parameters would generate new hash anyway, even if it's parameters are the same as before

Describe alternatives you've considered
Right now we are reading paramters from the encoded hash itself (e.g. $argon2id$t=...), but it sounds like a job that can be done by the library not the developer.

Answer 1 · 2023-02-15T11:36:13.000Z

Hi @realkarmakun thanks for the suggestion.
Do you need a boolean function that tells if you need to update the hash or just the certainty that the library would not calculate a new hash?
I prefer the first one, because one would need to regenerate the salt event if the parameters didn't change.

Answer 2 · 2023-02-15T12:18:19.000Z

@firaja
Yes I prefer first option as well. It would allow more control over when generation happens and overall more intuitive (IMHO). Checks if update is needed => Updates the hash.

Not sure about handling updates between algorithms in this case though. Is it possible to check what algorithm was used in original hash after the check call?

Answer 3 · 2023-02-15T15:53:50.000Z

Hi @realkarmakun,

the feature requested is in master brach. The 1.7.0 release will be public by the end of the week.

You can check if there have been an update with a boolean flag like in this example:

HashUpdate update = Password.check(password, hash.getResult())
                .andUpdate().with(...);

update.isUpdated() // true or false

Using a different algoritmh even with different parameters, using #addNewSalt(...) or #addNewPepper(...) makes the library to recalculate the hash.

If you need to force for any reason the update, you can use #forceUpdate(). For example Bcrypt salt could be regenerated internally by the library.

HashUpdate updated5 = Password.check(password, hash.getResult())
                .andUpdate().forceUpdate().with(...);

update.isUpdated() // true

Answer 4 · 2023-02-18T14:25:57.000Z

Hi @realkarmakun ,

version 1.7.0 is now public.
See the changelog for further information.