Hi internals,
I just spent some time debugging an authentication issue after upgrading
PHP, and realized that it was due to ext-sodium not being installed, so
password_verify() would always return false for argon2i hashes.
Digging a bit more, I realized that password_verify() does not complain if
the algorithm is unknown, or if the hash string is malformed:
var_export(password_verify('passw0rd', 'any/string%as|a$hash')); //
false
Shouldn't it throw an exception, or a least trigger a warning, when the
algorithm is unknown, or the hash is malformed? Returning false IMO, should
mean "I recognize this hash, but it doesn't match your password". "I don't
recognize this hash" is an application issue and should be reported.
What do you think?
— Benjamin
