[wp-trac] [WordPress Trac] #63412: Bcrypt - Cannot Verify Password Hashes
WordPress Trac
noreply at wordpress.org
Thu May 8 04:22:37 UTC 2025
#63412: Bcrypt - Cannot Verify Password Hashes
------------------------------------+------------------------------
Reporter: aaron13223 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.8
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
------------------------------------+------------------------------
Comment (by aaron13223):
Wow Dion, you are right. It was pure happen chance that I checked this
password in particular haha.
No matter how many hashes are generated for that particular password, it
does not work until the backslash is added to it while generating the
hash.
The filter works as expected, just fixed a typo in str_contains():
{{{#!php
<?php
// Support passwords from JS bcrypt which did not slash the password.
function backwards_compatible_bcrypt_passwords( $check, $password, $hash
){
if ( ! $check && str_starts_with( $hash, '$2b' ) && str_contains(
$password, "'" ) ) {
$check = password_verify( wp_unslash( $password ), $hash );
}
return $check;
}
add_filter( 'check_password', 'backwards_compatible_bcrypt_passwords', 10,
3 );
}}}
Thanks so much for your help!
Additionally, should I mark this as "wontfix" or similar or leave it as
is? Let me know. Thanks a lot again!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63412#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list