[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Feb 19 13:48:35 UTC 2025
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: reopened
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests has-dev-note |
-------------------------------------------------+-------------------------
Comment (by ayeshrajans):
> I am a bit concerned about whether we should also consider scenarios
where a user downgrades their WordPress version. For example, in the
following case, the user will not be able to log in:
yes, if the user downgrades the WordPress version, they will not be able
to login. I see that this is committed, but perhaps a roll-out that
provides some downgrade safety would be to add bcrypt support to the next
version, but not enable it. In the next version (6.9 for example), enable
it by default. That way, if the user downgrades, they can still login
because bcrypt passwords are still understood and can be checked against.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:226>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list