[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Wed Feb 17 22:09:54 UTC 2016
#21022: Allow bcrypt to be enabled via filter for pass hashing
---------------------------------------------+-----------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Security | Review
Severity: normal | Version: 3.4
Keywords: 2nd-opinion has-patch 4.5-early | Resolution:
| Focuses:
---------------------------------------------+-----------------------------
Comment (by wturrell):
(Hello, I am new.)
As the ticket is nearly four years old, would the fastest way to make a
little progress, but with minimal disruption and whilst keeping our future
options open, be implementing the original constant idea, so
$portable_hashes can be false?
Even if the decision is not to activate bcrypt by default for new
installations, it would at least allow informed users to increase their
security level right now. As already mentioned, phpass stores the
algorithm in the initial characters, so it's not computationally expensive
to determine which type of password it is (i.e. you don't have to try each
in turn) and I can't see how it would restrict future choice of
encryption.
Also, I note there's multiple copies of this conditional in core, could it
be refactored for DRY purposes?
{{{#!php
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:73>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list