I have recommended to a client that their login system implements password_needs_rehash, so that as their version of PHP is upgraded, the user accounts within their web app will have the password automatically rehashed and re-saved. My reason for doing so is to ensure that as brute-forcing passwords becomes more capable, with CPUs emerging of increasing speed, password hashes need to be upgraded.
I start from the assessment that the PHP hashing facilities were introduced in PHP 5.5 and we've had five major versions since then, with 7.4 around the corner. Have any of these changed the default hashing algo or the internal cost option, such that presenting an "old" hash would return true if the rehash test function is used?
If they have, I could grab an old copy of PHP, generate a hash, and then use that in my API tests, to show that an old hash is indeed upgraded in the later version of PHP.
It looks like 7.2 and 7.3 included new hashing algos, but the default was not changed, and on that basis, this method would return false. I have not found any information about whether the default cost has been changed since these functions were added.
If it is the case that the default password_hash settings have never been changed that would cause a rehash, I could add a manual cost parameter based on the timing script on the password_hash doc page, but that requires manual intervention that my non-technical client is unlikely to undertake themselves. Can it be automatic based on PHP upgrades?