[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Sun Dec 11 09:02:26 UTC 2022
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by stgoos):
Replying to [comment:126 my1xt]:
> @SergeyBiryukov I think we can ax phpass altogether in new versions now
that WP is committed to use recent PHP versions, and in fact that oldest
version stated to work is something in 5.6
>
> https://wordpress.org/about/requirements/
> "WordPress also works with PHP 5.6.20"
>
> or was WP downgrading ever a thing?
Only when you have a plugin that isn't yet compatible yet with the newer
version of WordPress, but that should only be a very temporarily
situation. That said, for the more serious web admins this will only
happen on their development/test/staging site and not (as in: never) on
their production site.
But in all seriousness. It's plain ridiculous that this particular
security topic/ticket (''opened at June 20, 2012!!'') has still not made
it into the core of WordPress. The minimum PHP requirement for WordPress
has gone up to PHP 7.4 a while ago already so that can't be the reason
(anymore) not to tackle this long long overdue security improvement.
Please include it in WordPress 6.2.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:128>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list