[wp-trac] [WordPress Trac] #63203: Application Passwords BC Break in 6.8's new hashing
WordPress Trac
noreply at wordpress.org
Tue Apr 1 09:56:23 UTC 2025
#63203: Application Passwords BC Break in 6.8's new hashing
----------------------------------------+--------------------------
Reporter: snicco | Owner: johnbillion
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.8
Component: Application Passwords | Version: trunk
Severity: major | Resolution:
Keywords: has-patch needs-unit-tests | Focuses:
----------------------------------------+--------------------------
Changes (by johnbillion):
* owner: (none) => johnbillion
* status: new => accepted
Comment:
I think there's some confusion in the pull requests between passwords
hashed with bcrypt and passwords hashed with BLAKE2b. Application
passwords use the latter via `wp_fast_hash()` and should not be switched
to hashing with `wp_hash_password()`. This report from @snicco has
identified that existing passwords hashed prior to 6.8 with a custom
implementation of the pluggable `wp_hash_password()` need to be checked
with that function for backwards compatibility, but new ones must not be
hashed with it.
This needs additional test coverage because the existing tests should have
failed with the proposed changes in the PRs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63203#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list