Docs
cfPassphraseOverview
• Code
Examines the hash provided and returns the information which is encoded within it, including the algorithm, version and iterations.
These details can be used to determine whether a passphrase might need to be re-hashed using a newer algorithm or increased number of iterations.
In addition to the supported algorithms, this function will also identify hashes from common crypt implementations.
A struct containing information about the hash provided.
Different algorithms provide different keys. All algorithms provide at least the key "Algorithm" containing its name, and "Status" providing a guide to whether this algorithm can/should be used:
(Note that this value does not consider algorithm parameters.)
PassphraseInfo( Hash [, Algorithm ])
| Name | Type | Default | Description |
|---|---|---|---|
| Hash | String | Required | A hash in the format of a supported algorithm. |
| Algorithm | String | Optional | If unspecified, the algorithm is auto-detected from the hash. |
The PassphraseInfo function might be used inside a scheduled task that runs occasionally to check for accounts that need to be refreshed:
<cfquery name="OldUsers" datasource="UserAuth">
SELECT Id , Hash
FROM User
WHERE LastModified < <cfqueryparam value=#Now()-60# cfsqltype="cf_sql_date" />
AND IsStale = 0
</cfquery>
<cfset StaleHashes = [] />
<cfloop query="OldUsers">
<cfset HashInfo = PassphraseInfo ( OldUsers.Hash ) />
<cfif HashInfo.Algorithm NEQ CurrentAlgorithm
OR HashInfo.Iterations < MinCurrentIterations
>
<cfset ArrayAppend( StaleHashes , OldUsers.Id ) />
</cfif>
</cfloop>
<cfif ArrayLen(StaleHashes)>
<cfquery datasource="UserAuth">
UPDATE User
SET IsStale = 1
WHERE Id IN (<cfqueryparam list value=#ArrayToList(StaleHashes)# cfsqltype="cf_sql_integer />)
</cfquery>
</cfif>
It is not possible to calculate a newer hash without the passphrase, thus you cannot simply update a hash to increase the iterations, and instead need to set a flag to indicate the action must be performed at the next login.