[wp-hackers] Should password hashing portability be configurable?
harry at dxw.com
Wed Nov 7 19:27:25 UTC 2012
I entirely agree. I have seen a discussion somewhere supporting using
MD5 for portability though.
I didn't realise, but there's already a trac ticket:
I shall go add my $0.02 to it.
On 07/11/12 19:24, Otto wrote:
> Yes, that said, bcrypt was indeed intentionally designed to be
> slow-as-heck for hashing, so it would be more secure in theory. I have
> my doubts about that in practice. Modern GPU based crackers are
> Since we're on 5.3 and up now, it does make sense to remove the "true"
> from those functions, since every PHP 5.3 should have bcrypt in it.
> Might be worth making a core ticket for it instead of a plugin.
> On Wed, Nov 7, 2012 at 1:22 PM, Harry Metcalfe <harry at dxw.com> wrote:
>>> The underlying cryptographic hash function is pretty much
>>> irrelevant to the concept of password storage.
>> As far as choosing between MD5/SHA256/similar, I agree. But bcrypt is
>>> Unless the hash algorithm is extremely slow, [...]
>> This is exactly the point. bcrypt is, by design, very slow. And it can be
>> adjusted to make it slower as computing power becomes cheaper. More:
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers