[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Feb 19 13:38:08 UTC 2025
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: reopened
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests has-dev-note |
-------------------------------------------------+-------------------------
Comment (by wildworks):
I am a bit concerned about whether we should also consider scenarios where
a user downgrades their WordPress version. For example, in the following
case, the user will not be able to log in:
- Install WordPress 6.7.2 and change the user password to "`password`".
The password hash is `$P$BPrz9zVzDfSvUdwhrvQZlAp/5M44oh1`.
- Install and enable the Beta Tester plugin, select "Nightlies", and
update WordPress to 6.8-alpha.
- Set the password "`password`" again. The new password hash is
`$wp$2y$10$1Fygyd9SRRwZniZdi9kXJuW/Tof31v4hPjCNC0xqsbCa/xWKpqcWe`.
- Disable the Beta Tester plugin and downgrade to WordPress 6.7.2.
- If you log out of WordPress, you will not be able to log in with the
password "`password`".
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:225>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list