[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes

WordPress Trac noreply at wordpress.org
Thu Mar 27 06:46:25 UTC 2025 

#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:
                                                 |  johnbillion
     Type:  enhancement                          |      Status:  reopened
 Priority:  normal                               |   Milestone:  6.8
Component:  Security                             |     Version:  3.4
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing has-unit-    |     Focuses:
  tests has-dev-note                             |
-------------------------------------------------+-------------------------

Comment (by devsahadat):

 I've thoroughly reviewed the bug report and associated pull requests for
 implementing bcrypt for password hashing in WordPress. After more than a
 decade since this ticket was opened, it's great to see this important
 security enhancement finally being implemented in version 6.8.

 The approach taken in PR #7333 is sound and comprehensive:

 Security Upgrade: Moving from phpass's MD5-based hashing to bcrypt
 provides a significant security improvement, making password cracking
 attempts exponentially more difficult.

 Backward Compatibility: The implementation maintains backward
 compatibility by supporting existing password hashes and gradually
 upgrading them when users log in.

 Technical Details: Using PHP's native password_hash() and
 password_verify() functions is a clean approach, leveraging established
 cryptographic standards.

 Edge Cases: The 72-byte limitation of bcrypt was carefully considered, and
 I agree with the decision not to complicate the implementation with pre-
 hashing techniques.

 **Testing Confirmation**
 I've tested this implementation on several environments with different PHP
 versions (7.4, 8.0, and 8.2) and found that:

 Existing users can log in successfully with their current passwords
 Passwords are properly migrated to bcrypt upon login
 Password resets work correctly
 The implementation performs well without noticeable slowdowns

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:254>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list