[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Fri Nov 22 10:29:06 UTC 2024
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests |
-------------------------------------------------+-------------------------
Comment (by stgoos):
Replying to [comment:171 ayeshrajans]:
> - The point of that plugin is to ''upgrade'' to bcrypt, and not to roll
our own way of hashing passwords. Totally agreeing and echoing what
@johnbillion said in comment:161.
>
> - If we were to pre-hash, we run into a problem that users of the
roots' or the plugin I linked above will not be able to uninstall the
plugin without and let WordPress core handle the same way these plugins
were doing.
Time for WordPress core to adopt the features rollout process as in use
with WooCommerce, for existing installations. That way WordPress can draw
focus on the additional one-time step(s) that needs to be taken to enable
the new feature.
And in all honesty this is something WordPress has been creating
themselves by leaving this important ticket open for soooo loooong
already.
As user of the plugin from Roots, I would not mind informing my users that
they will have to set a new password the next time they login due to
improved password hashing (/security).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:172>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list