[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Fri Nov 22 01:59:45 UTC 2024
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by ayeshrajans):
I maintain a [https://wordpress.org/plugins/password-hash/ WordPress
plugin] does this as well. It intentionally does not pre-hash passwords,
and ignore the password length (because it also supports Argon2 with a PHP
constant config).
I think the PR looks great as-is, and I really want to .
- The point of that plugin is to ''upgrade'' to bcrypt, and not to roll
our own way of hashing passwords. Totally agreeing and echoing what
@johnbillion said in comment:161.
- If we were to pre-hash, we run into a problem that users of the roots'
or the plugin I linked above will not be able to uninstall the plugin
without and let WordPress core handle the same way these plugins were
doing.
- If we were to HMAC or god forbid encrypt passwords, we are not doing
ourselves any favor, and might break existing sites because now you have
to keep the key in sync with the database backups and replicas. Strong -1.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:171>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list