[wp-trac] [WordPress Trac] #63203: Application Passwords BC Break in 6.8's new hashing
WordPress Trac
noreply at wordpress.org
Mon Mar 31 15:57:50 UTC 2025
#63203: Application Passwords BC Break in 6.8's new hashing
-----------------------------------+-----------------------------
Reporter: snicco | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: trunk
Severity: major | Keywords:
Focuses: |
-----------------------------------+-----------------------------
Pre 6.8, application passwords are created with `wp_hash_password` which
is pluggable and can be replaced by users.
6.8 uses a new function `wp_fast_hash` to hash application passwords, and
`wp_verify_fast_hash` to check them.
For backwards compatibility, the following is included in the verification
code:
{{{#!php
<?php
function wp_verify_fast_hash(
#[\SensitiveParameter]
string $message,
string $hash
): bool {
if ( ! str_starts_with( $hash, '$generic$' ) ) {
// Back-compat for old phpass hashes.
require_once ABSPATH . WPINC . '/class-phpass.php';
return ( new PasswordHash( 8, true ) )->CheckPassword(
$message, $hash );
}
return hash_equals( $hash, wp_fast_hash( $message ) );
}
}}}
But this will only work if the site has previously **not** been using a
custom password hashing implementation.
That's not given (Fortress, WP password bcrypt, etc.), and is a BC break.
**All previously created application passwords would be invalid because
they fail validation.**
The correct, backwards compat preserving code would be:
{{{#!php
<?php
function wp_verify_fast_hash(
#[\SensitiveParameter]
string $message,
string $hash
): bool {
if ( ! str_starts_with( $hash, '$generic$' ) ) {
// Back-compat for old phpass hashes.
return wp_check_password($message, $hash);
}
return hash_equals( $hash, wp_fast_hash( $message ) );
}
}}}
By default, `wp_check_password` will use PHPass. But if a custom
implementation was used, it will use that instead.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63203>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list