[wp-hackers] Should password hashing portability be configurable?
kevinjohngallagher at hotmail.com
Tue Nov 13 20:30:52 UTC 2012
Aren't we on PHP5.4.8 ?
At the very least we're on PHP5.4.4, as it came out the same day as WP3.4.And as we're always being told, there's no reason to not upgrade to the latest version of [insert software]. So everyone who's on 3.4 is also on PHP5.4.4. Riiight? ;-)
That said, I'm very much in favour of a conversation about choosing different - and/or additional - security/hashing functionality.
> Date: Thu, 8 Nov 2012 20:45:14 +1000
> From: lists at rotorised.com
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Should password hashing portability be configurable?
> Otto wrote:
> > Yes, that said, bcrypt was indeed intentionally designed to be
> > slow-as-heck for hashing, so it would be more secure in theory. I have
> > my doubts about that in practice. Modern GPU based crackers are
> > uber-fast.
> The idea is that as computers get faster, you increase the "cost" of the
> bcrypt function (where iterations = 2^cost). At the moment, the cost is
> 8 (see wp-includes/class-phpass.php, PasswordHash::PasswordHash() ),
> which is 256 rounds.
> (See also: http://security.stackexchange.com/a/17238 )
> > Since we're on 5.3 and up now, it does make sense to remove the "true"
> > from those functions, since every PHP 5.3 should have bcrypt in it.
> Just to reiterate what was mentioned on #21022 , we're not actually
> on 5.3+ yet, we're still on 5.2.4+, just in case anyone was confused.
> : http://core.trac.wordpress.org/ticket/21022
> Ryan McCue
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers