[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Wed Sep 18 07:52:47 UTC 2019 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  3.4
 Severity:  major                                |  Resolution:
 Keywords:  2nd-opinion has-patch needs-testing  |     Focuses:
  dev-feedback                                   |
-------------------------------------------------+-------------------------

Comment (by mbijon):

 Yeah @paragoninitiativeenterprises, that's what I was hoping to do with my
 1st post today. I do think there are some non-tech steps to take, but
 using your bcrypt-sha-base64 solution eliminates the need for a password-
 length warning.

 I was leaning toward a forced password-update over backward-compat hashes.
 It's a big security improvement over having copies of low-security md5's
 around for years.

 But if anyone wants to weigh-in on PM stuff instead of crypto ... How
 about...?

 1. Add Paragon's bcrypt-sha-base64 solution and remove `passwordHash`
 2. Implement hash-type detection for `$P$B`, `$2y$` and `$argon2i$` (maybe
 `$2a$`?)
 3. For the upgrade, add an `is_legacy_password = true` to
 `usermeta.meta_key` for every user with a `$P$B` hash.
 4. Also during upgrade, using the hash-type detection:
   * Add unit tests for `$2y$` functionality.
   * Batch update every `$P$B` hash into a `$2y$` format.
   * Helps plugins like "wp-password-bcrypt" because the hash detection
 ensures NOT expiring existing `$2y$` or better hashes.
 5. Hook the login Action to check for `is_legacy_password == true` and
 prompt the user to change their password (including UX with a "why"). On
 new password creation, set `is_legacy_password = false`

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:123>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list