Prevent user from using same password in Symfony (bcrypt)

Question

I would like to prevent users from using the same password they used in the last 3 months.

My first approach was to create a table to store a password history for each user, the problem is Symfony uses Bcrypt to encode passwords, and it hashes it differently each time, so my idea of simply comparing strings won't work.

Is there a way to execute IsPasswordValid against an entity that is not implementing UserInterface? So I could check if new password returns true for each stored password...

Also any other ideas are welcome.

I'm using Symfony 3.0.6, and I'm not willing to use FOS_User_Bundle, I already know how to make it work with it.

Thanks.

Answer 1

You'll want to use password_verify() to see if their new password that they have entered matches against your past x passwords that you have stored.

So a very simple example;

$oldPassword = password_hash('password', PASSWORD_DEFAULT);
$newPassword = 'password';

if (password_verify($newPassword, $oldPassword)) {
    echo 'Previously used password, please choose another';
}

Essentially you just need to pull out the user's old passwords, and loop through the data and then use password_verify against each of the old ones to see if any match -- if they do then you know they've used a previously stored password.

As a little side note, if you wanted to go one step further and do similarity checks, you would have to generate all the permutations yourself and then follow the same routine of using password verify on the old passwords against all your permutations.