Could it be a good idea to "re-hash" a password after every login and save the new hash into the database? Are there any pros and cons for this in terms of modern security standards?
Here a minimal code example in PHP:
function login(string $username, string $password): bool {
// function arguments coming from $_POST
$user = User::findByUsername($username);
if($user) {
if(password_verify($password, $user->password)) {
// re-hash password ...
$user->password = password_hash($password, PASSWORD_DEFAULT);
// ... and save it in database
$user->save();
return true;
}
}
return false;
}
Rehashing the password after each successful login does not increase security.
If the function password_hash() would use a fix global salt, the hash would look exactly the same for the same password. So an attacker would not even notice any difference in the database.
Though, the function password_hash() will generate a long enough unique salt if used properly, and several hashes of the same password with different salts will not make brute-forcing easier.
So while rehashing does not weaken security, it does not help in any way either, it is better to use the time to increase the cost factor.