[wp-hackers] Should password hashing portability be configurable?

Ryan McCue lists at rotorised.com
Thu Nov 8 10:45:14 UTC 2012

Otto wrote:
> Yes, that said, bcrypt was indeed intentionally designed to be
> slow-as-heck for hashing, so it would be more secure in theory. I have
> my doubts about that in practice. Modern GPU based crackers are
> uber-fast.

The idea is that as computers get faster, you increase the "cost" of the
bcrypt function (where iterations = 2^cost). At the moment, the cost is
8 (see wp-includes/class-phpass.php, PasswordHash::PasswordHash() ),
which is 256 rounds.

(See also: http://security.stackexchange.com/a/17238 )

> Since we're on 5.3 and up now, it does make sense to remove the "true"
> from those functions, since every PHP 5.3 should have bcrypt in it.

Just to reiterate what was mentioned on #21022 [1], we're not actually
on 5.3+ yet, we're still on 5.2.4+, just in case anyone was confused.

[1]: http://core.trac.wordpress.org/ticket/21022

Ryan McCue

More information about the wp-hackers mailing list