[wp-trac] [WordPress Trac] #63412: Bcrypt - Cannot Verify Password Hashes
WordPress Trac
noreply at wordpress.org
Thu May 8 04:33:06 UTC 2025
#63412: Bcrypt - Cannot Verify Password Hashes
------------------------------------+------------------------------
Reporter: aaron13223 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.8
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
------------------------------------+------------------------------
Comment (by dd32):
> just fixed a typo in str_contains():
:facepalm: Teaches me right for coding in a Trac `<textarea>`.
I think this ticket should remain open until someone who has worked with
passwords can chime in on:
> it might be worth adding back-compat support to WordPress for this edge-
case, where non-wordpress-generated-hashes are the password and it's the
non-slashed password inside that hash.
I attempted to find a ticket that this is suggested in, but I wasn't able
to (too many search results), so it might have been discussed already.
I did find #24367 which suggests
> we need to go back to storing a hash of the slashed password. Yes, this
is stupid, and we ought to fix it, but right now let's handle the bug.
and #34297 which mentions breakage of slashed passwords, but nothing for
compatibility for passwords generated outside of WordPress with slashes
(Although if another dev feels like closing this as a duplicate of that
one, go for it)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63412#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list