[wp-trac] [WordPress Trac] #63203: Application Passwords BC Break in 6.8's new hashing
WordPress Trac
noreply at wordpress.org
Tue Apr 1 21:50:31 UTC 2025
#63203: Application Passwords BC Break in 6.8's new hashing
--------------------------------------+--------------------------
Reporter: snicco | Owner: johnbillion
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.8
Component: Application Passwords | Version: trunk
Severity: major | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+--------------------------
Comment (by johnbillion):
Yeah it's covered in #21022 but that ticket might take all afternoon to
read by now so the tl;dr can be found under the "Why switch to BLAKE2b for
application passwords and security keys?" heading
[https://github.com/WordPress/wordpress-develop/pull/7333 on this PR]:
> Switching from phpass to the cryptographically secure but fast BLAKE2b
algorithm via Sodium is safe for application passwords and security keys
which are randomly generated with sufficiently high entropy. Security keys
and application passwords are all randomly generated with high entropy via
`wp_generate_password()` from an alpha-numeric character set of size 62.
BLAKE2b is highly resistant to preimage attacks (being able to reverse a
hash to determine its input) while having a low computational cost.
This algorithm allows high-entropy passwords to be protected with a
hashing algorithm that's much faster than bcrypt, which is just what we
want for application passwords.
The sharing of password hashes between wordpress.org systems
[https://wordpress.slack.com/archives/G02QQEF9J/p1736989791138809?thread_ts=1736972447.173969&cid=G02QQEF9J
has been accounted for by Dion] (note: this is a link to a private
security channel).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63203#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list