[wp-hackers] Should password hashing portability be configurable?
CloudPress Hosting
cloudpresshosting at gmail.com
Wed Nov 7 19:06:21 UTC 2012
I'm not saying they should use the same salt for each user I'm saying it
should use sha256 for the hash which i believe is supported by every
version WordPress already supports.
On Nov 7, 2012 11:02 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
> Nah. It's good. The individual salts are much better than having one salt
> for everything.
>
> I think it uses MD5 because that's the only one that's supported by pretty
> much every version of PHP.
>
> Harry
>
>
> On 07/11/12 18:57, CloudPress Hosting wrote:
>
>> Sounds a bit over complicated. I wonder why they would not just use SHA256
>> with salt.
>>
>> On Wed, Nov 7, 2012 at 10:55 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>> No. In a nutshell:
>>>
>>> No, it's not just MD5. It's PHPASS, which (for WordPress) uses MD5 as a
>>> cryptographic primitive. But there's more going on than that -- there are
>>> multiple rounds of hashing, plus a salt that's unique to each hashed
>>> password.
>>>
>>> It's not a bad system. It's just not as good as bcrypt.
>>>
>>> Harry
>>>
>>>
>>>
>>> On 07/11/12 18:47, CloudPress Hosting wrote:
>>>
>>> To make sure I am understanding you are you saying account passwords are
>>>> hashed with MD5? I would certainly hope not.
>>>>
>>>> On Wed, Nov 7, 2012 at 6:18 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>>>
>>>> I've been investigating switching the sites we host to bcrypt, rather
>>>>
>>>>> than
>>>>> MD5, which is the default. That MD5 is the default is regrettable but
>>>>> understandable given WordPress's need to remain portable. I understand
>>>>> that
>>>>> if the site was moved to a server without bcrypt support, those
>>>>> accounts
>>>>> would no longer be accessible. However, if that is not a consideration,
>>>>> it
>>>>> would surely be better for people to use bcrypt than MD5.
>>>>>
>>>>> I was going to make change on our sites by switching the portable flags
>>>>> in
>>>>> wp_check_password and wp_hash_password to false, after moving those
>>>>> functions into a plugin. This makes new passwords bcrypt and maintains
>>>>> backwards compatibility for passwords hashed using MD5. However, it
>>>>> misses
>>>>> the hashes which are created for password-protected posts, which
>>>>> happens
>>>>> in
>>>>> a function that is not pluggable.
>>>>>
>>>>> I've therefore created a global $wp_hasher instance (without
>>>>> portability)
>>>>> in a plugin, which I think should get called before WordPress has a
>>>>> chance
>>>>> to make it.
>>>>>
>>>>> Questions:
>>>>>
>>>>> 1. Is that right? Is there a scenario where WordPress will make a
>>>>> wp_hasher before my mu plugin gets loaded, thereby preventing
>>>>> someone from logging in?
>>>>> 2. Is it worth adding a WP_UNPORTABLE_PASSWORDS define so that people
>>>>> who want to make the switch can do so without having to fiddle
>>>>> with
>>>>> wp_hasher?
>>>>>
>>>>> Harry
>>>>> ______________________________******_________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.******com <wp-hackers at lists.automattic.***
>>>>> *com<wp-hackers at lists.**automattic.com<wp-hackers at lists.automattic.com>
>>>>> >
>>>>> http://lists.automattic.com/******mailman/listinfo/wp-hackers<http://lists.automattic.com/****mailman/listinfo/wp-hackers>
>>>>> <**http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>> >
>>>>> <ht**tp://lists.automattic.**com/**mailman/listinfo/wp-**hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>> <http://lists.**automattic.com/mailman/**listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>> >
>>>>> ______________________________****_________________
>>>>>
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.****com <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>> >
>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>> <ht**tp://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>> >
>>>>
>>>> ______________________________****_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.****com <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>> >
>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>> <ht**tp://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> >
>>>
>>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>
More information about the wp-hackers
mailing list