Last Updated: 2021-05-15
X asked me to change the password in production. I went into the php tinker REPL console and did this:
<?php $user->password = "new-password"; $user->save();
And I announced to X that I was done. Later he tried to log in. It failed.
Why? Because this particular framework's way of setting the password does not hash it automatically (as, for example, happens with the Ruby on Rails setters). Therefore when my colleague attempted to login with "new-password", the system compared the hash of "new-password" to plain old "new-password", which obviously did not match.
If data is hashed or encrypted in the DB, double check your setters perform that step instead of assuming as much.