[wp-hackers] Should password hashing portability be configurable?

Harry Metcalfe harry at dxw.com
Wed Nov 7 19:07:45 UTC 2012


Ah. Ok. Not so sure about that. Perhaps it's because PHPass is an 
external library and they don't want to modify it?

Otto - any idea?

Harry


On 07/11/12 19:06, CloudPress Hosting wrote:
> I'm not saying they should use the same salt for each user I'm saying it
> should use sha256 for the hash which i believe is supported by every
> version WordPress already supports.
> On Nov 7, 2012 11:02 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>
>> Nah. It's good. The individual salts are much better than having one salt
>> for everything.
>>
>> I think it uses MD5 because that's the only one that's supported by pretty
>> much every version of PHP.
>>
>> Harry
>>
>>
>> On 07/11/12 18:57, CloudPress Hosting wrote:
>>
>>> Sounds a bit over complicated. I wonder why they would not just use SHA256
>>> with salt.
>>>
>>> On Wed, Nov 7, 2012 at 10:55 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>>
>>>   No. In a nutshell:
>>>> No, it's not just MD5. It's PHPASS, which (for WordPress) uses MD5 as a
>>>> cryptographic primitive. But there's more going on than that -- there are
>>>> multiple rounds of hashing, plus a salt that's unique to each hashed
>>>> password.
>>>>
>>>> It's not a bad system. It's just not as good as bcrypt.
>>>>
>>>> Harry
>>>>
>>>>
>>>>
>>>> On 07/11/12 18:47, CloudPress Hosting wrote:
>>>>
>>>>   To make sure I am understanding you are you saying account passwords are
>>>>> hashed with MD5? I would certainly hope not.
>>>>>
>>>>> On Wed, Nov 7, 2012 at 6:18 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>>>>
>>>>>    I've been investigating switching the sites we host to bcrypt, rather
>>>>>
>>>>>> than
>>>>>> MD5, which is the default. That MD5 is the default is regrettable but
>>>>>> understandable given WordPress's need to remain portable. I understand
>>>>>> that
>>>>>> if the site was moved to a server without bcrypt support, those
>>>>>> accounts
>>>>>> would no longer be accessible. However, if that is not a consideration,
>>>>>> it
>>>>>> would surely be better for people to use bcrypt than MD5.
>>>>>>
>>>>>> I was going to make change on our sites by switching the portable flags
>>>>>> in
>>>>>> wp_check_password and wp_hash_password to false, after moving those
>>>>>> functions into a plugin. This makes new passwords bcrypt and maintains
>>>>>> backwards compatibility for passwords hashed using MD5. However, it
>>>>>> misses
>>>>>> the hashes which are created for password-protected posts, which
>>>>>> happens
>>>>>> in
>>>>>> a function that is not pluggable.
>>>>>>
>>>>>> I've therefore created a global $wp_hasher instance (without
>>>>>> portability)
>>>>>> in a plugin, which I think should get called before WordPress has a
>>>>>> chance
>>>>>> to make it.
>>>>>>
>>>>>> Questions:
>>>>>>
>>>>>> 1. Is that right? Is there a scenario where WordPress will make a
>>>>>>       wp_hasher before my mu plugin gets loaded, thereby preventing
>>>>>>       someone from logging in?
>>>>>> 2. Is it worth adding a WP_UNPORTABLE_PASSWORDS define so that people
>>>>>>       who want to make the switch can do so without having to fiddle
>>>>>> with
>>>>>>       wp_hasher?
>>>>>>
>>>>>> Harry
>>>>>> ______________________________******_________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.******com <wp-hackers at lists.automattic.***
>>>>>> *com<wp-hackers at lists.**automattic.com<wp-hackers at lists.automattic.com>
>>>>>> http://lists.automattic.com/******mailman/listinfo/wp-hackers<http://lists.automattic.com/****mailman/listinfo/wp-hackers>
>>>>>> <**http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>>> <ht**tp://lists.automattic.**com/**mailman/listinfo/wp-**hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>>> <http://lists.**automattic.com/mailman/**listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>>>    ______________________________****_________________
>>>>>>
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.****com <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>> <ht**tp://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>>   ______________________________****_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.****com <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>> <ht**tp://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>   ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list