If I increase the bcrypt cost do I have to rehash the users password already registered?

Question

I\'m just digging into Symfony2 and just got my own user-provider running. ATM I use brypt with a cost of 12. If I now increase the cost, bcrypt should rehash the password again

Answer 1

You can change the cost in any moment because as you can read in the official symfony2 docs you don't need to rehash the old passwords because they are automatically handled with the old cost (and if you want you can force the users in the future to change their password like happens in many large sites).

Answer 2

You can't reverse a hash function so you're left with two options:

1. Force on user to insert new password or...

2. Update the hash as users login to your system again (You can force to kick the cookie and sessions that allows the user to log in without retyping their password). This solution will allow your users to log in with the old hash and at the same time you will update the old hash with the new one. Next time your user will log in, the script will use the new version of the hash to login the user.

In this example, I have used md5 as a hash and I want to update it to BCRYPT with cost = 12 but feel free to change it to what ever you need. Change from BCRYPT cost=10 to BCRYPT cost = 12 would also work or any other combination. Consider this example:

$passwordFromDatabase = "0d107d09f5bbe40cade3de5c71e9e9b7"; // md5  hash of "letmein"
$passwordFromForm = $_POST['password']; // $_POST['password'] == "letmein"

if(password_needs_rehash($passwordFromDatabase, PASSWORD_BCRYPT, ["cost" => 12]) && md5($passwordFromForm) === $passwordFromDatabase){
    // generate new password
    $newPasswordHash = password_hash($passwordFromForm, PASSWORD_BCRYPT, ["cost" => 12]);
    // update hash from databse - replace old hash $passwordFromDatabase with new hash $newPasswordHash
    // after update login user
    if(password_verify($passwordFromForm, $newPasswordHash)){
        // user has logged in successfully and hash was updated
        // redirect to user area
    }else{
        // ups something went wrong Exception
    }
}else{
    if(password_verify($passwordFromForm, $passwordFromDatabase)){
        // user password hash from database is already BCRYPTed no need to rehash
        // user has logged in successfully
        // redirect to user area
    }else{
        // wrong password
        // no access granted - stay where you are
    }
}

I prefer the second option :). Make your own choice. If you pick the second option and choose not to kick the cookie and session that allow user to login without providing the password, it's OK too... The change will happen overtime. And no one will even notice the change.