[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Nov 20 13:39:51 UTC 2024
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by johnbillion):
Alright let's kick this out the door at last. I propose switching to
bcrypt for password hashing in WordPress 6.8 using the implementation at
https://github.com/WordPress/wordpress-develop/pull/7333 .
The description on that PR covers the points raised in the discussion on
this ticket and in #50027. The **tl;dr** is that we'll switch from using
phpass to using `password_hash()` and `password_verify()` with bcrypt.
Loads of info in the PR so please go and take a look and have a read
through the description, the FAQ, and the draft for the make/core post.
The one remaining decision to be made concerns the 72 byte input length
limit of bcrypt. My proposal is to not implement any specific handling to
account for a password greater than 72 bytes in length, and I've written
my reasoning for this in the FAQ section of the PR. If there are no
objections then we'll go ahead with this.
Feedback, testing, and code reviews on the PR are welcome.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:150>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list