[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Fri Feb 21 21:38:19 UTC 2025 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:
                                                 |  johnbillion
     Type:  enhancement                          |      Status:  reopened
 Priority:  normal                               |   Milestone:  6.8
Component:  Security                             |     Version:  3.4
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing has-unit-    |     Focuses:
  tests has-dev-note                             |
-------------------------------------------------+-------------------------

Comment (by yani.iliev):

 Replying to [comment:235 stgoos]:
 > Replying to [comment:234 yani.iliev]:
 > > It is quite common to transfer a website between different versions of
 WordPress.
 >
 > Isn't that just bad practise?
 > Ideally - you always bring both sides to the same version to avoid
 issues in that area!
 I appreciate your perspective. This is more about user behavior than
 anything we can control directly.

 > > Right now, this will break all transfer/migration plugins.
 >
 > It would be for one transfer/migration round only. Then it get's fixed
 anyway by updating the source website first... (I know that sounds way
 easier than reality sometimes will be.)
 The workaround with password resets assumes a functioning email
 configuration, which often isn't set up right away and may be broken
 during transfers. Even if email is working, telling users they must reset
 their passwords only adds confusion.

 > When transfering/migrating a website between different versions one
 should already be extra aware of what's going on, just by mapping the
 risks/challenges by reading through changelogs and testing upfront, and
 act accordingly to mitigate those risks/challenges.
 The "perfect world" approach would be to follow best practices (test
 everything, read changelogs), but in practice, most users don't do that.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:236>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list