[wp-hackers] Should password hashing portability be configurable?

CloudPress Hosting cloudpresshosting at gmail.com
Wed Nov 7 18:57:08 UTC 2012


Sounds a bit over complicated. I wonder why they would not just use SHA256
with salt.

On Wed, Nov 7, 2012 at 10:55 AM, Harry Metcalfe <harry at dxw.com> wrote:

> No. In a nutshell:
>
> No, it's not just MD5. It's PHPASS, which (for WordPress) uses MD5 as a
> cryptographic primitive. But there's more going on than that -- there are
> multiple rounds of hashing, plus a salt that's unique to each hashed
> password.
>
> It's not a bad system. It's just not as good as bcrypt.
>
> Harry
>
>
>
> On 07/11/12 18:47, CloudPress Hosting wrote:
>
>> To make sure I am understanding you are you saying account passwords are
>> hashed with MD5? I would certainly hope not.
>>
>> On Wed, Nov 7, 2012 at 6:18 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>>  I've been investigating switching the sites we host to bcrypt, rather
>>> than
>>> MD5, which is the default. That MD5 is the default is regrettable but
>>> understandable given WordPress's need to remain portable. I understand
>>> that
>>> if the site was moved to a server without bcrypt support, those accounts
>>> would no longer be accessible. However, if that is not a consideration,
>>> it
>>> would surely be better for people to use bcrypt than MD5.
>>>
>>> I was going to make change on our sites by switching the portable flags
>>> in
>>> wp_check_password and wp_hash_password to false, after moving those
>>> functions into a plugin. This makes new passwords bcrypt and maintains
>>> backwards compatibility for passwords hashed using MD5. However, it
>>> misses
>>> the hashes which are created for password-protected posts, which happens
>>> in
>>> a function that is not pluggable.
>>>
>>> I've therefore created a global $wp_hasher instance (without portability)
>>> in a plugin, which I think should get called before WordPress has a
>>> chance
>>> to make it.
>>>
>>> Questions:
>>>
>>> 1. Is that right? Is there a scenario where WordPress will make a
>>>     wp_hasher before my mu plugin gets loaded, thereby preventing
>>>     someone from logging in?
>>> 2. Is it worth adding a WP_UNPORTABLE_PASSWORDS define so that people
>>>     who want to make the switch can do so without having to fiddle with
>>>     wp_hasher?
>>>
>>> Harry
>>> ______________________________****_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.****com <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>> >
>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>> <ht**tp://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> >
>>>
>>>  ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>


More information about the wp-hackers mailing list