[wp-trac] [WordPress Trac] #63412: Bcrypt - Cannot Verify Password Hashes
WordPress Trac
noreply at wordpress.org
Thu May 8 03:02:58 UTC 2025
#63412: Bcrypt - Cannot Verify Password Hashes
------------------------------------+-----------------------------
Reporter: aaron13223 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.8
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Hi There,
Some bcrypt hashes cannot be verified likely due to an escape character
issue.
One example of hash is:
{{{
$2b$10$AmZawb7AujOXxowQuhUk2.sg69pZge8uG.zdbIc.FMRmz54Op8x9u
}}}
The password for this hash is: A3oc5tq9'U&d
If you try to verify this anywhere, it will verify like it should but it
doesn't work in WP. We also noticed this could be an escape issue since if
we try to verify this with a simple php script:
{{{#!php
<?php
// The password to check
$password = "A3oc5tq9'U&d";
// The bcrypt hash to check against
$hash = "$2b$10$AmZawb7AujOXxowQuhUk2.sg69pZge8uG.zdbIc.FMRmz54Op8x9u";
// Verify the password against the hash
if (password_verify($password, $hash)) {
echo "correct";
} else {
echo "incorrect";
}
}}}
This will throw out an error for undefined variable, we need to either
wrap the hash in single quotes or escape it like so:
{{{
$hash = "$2b\$10\$AmZawb7AujOXxowQuhUk2.sg69pZge8uG.zdbIc.FMRmz54Op8x9u";
}}}
Storing this hash directly in the database with escaped character does not
help either.
We found this since we are running an import of users from another
platform which also uses bcrypt for hashing passwords. (JS bcrypt library
5.1.1 for reference)
Please let me know what you think and if this is even a WordPress Specific
issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63412>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list