[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Thu Feb 20 15:42:15 UTC 2025
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner:
| johnbillion
Type: enhancement | Status: reopened
Priority: normal | Milestone: 6.8
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing has-unit- | Focuses:
tests has-dev-note |
-------------------------------------------------+-------------------------
Comment (by johnbillion):
RE the length of the `user_activation_key` field. I think to address this
we need to look at how many sites are realistically using
`DO_NOT_UPGRADE_GLOBAL_TABLES` and have not performed this particular
database upgrade routine in almost a decade. I understand that this broke
password resets on wordpress.org, but we also have to decide whether such
a scenario is unreasonable to support.
I think we have two options:
1. Add some additional messaging to the bcrypt announcement post about the
requirement that the `wp_users` table is not running a schema that changed
nine years prior. Does this warrant a message in core too? Perhaps, but I
would love to know if there are sites other than wordpress.org that this
affects before we add anything.
2. If we can safely decrease the length of the `wp_fast_hash()` hash
without reducing its security then I am in favour. I am happy to defer to
@paragoninitiativeenterprises on this.
> A Devnote may be required anyway, to warn that previous password reset
hashes have been broken.
Just to clarify the above, password reset key hashes generated prior to
6.8 remain valid after updating to 6.8 as long as they are used prior to
their usual expiry time.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:232>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list