[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing
WordPress Trac
noreply at wordpress.org
Thu Nov 8 14:35:38 UTC 2012
#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------+------------------------------
Reporter: th23 | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 3.4
Severity: normal | Resolution:
Keywords: 2nd-opinion punt dev-feedback |
-------------------------------------------+------------------------------
Changes (by harrym):
* keywords: 2nd-opinion punt => 2nd-opinion punt dev-feedback
Comment:
+1 for increasing the cost factor. Jammycakes is absolutely right, and the
factor is indeed stored along with the salt. There are no compatibility
issues involved there.
We do regular password audits for our clients - breaking WordPress
password hashes isn't even slightly difficult. We can try >20k candidates
per second, and that's on a fairly pedestrian office machine. Custom rigs
with multiple GPUs can do hundreds of thousands of attempts per second.
This is not a minor problem!
Can we have dev-feedback on making the use of portable hashes a
configurable option, via a define?
I see no reason why people shouldn't be able to customise this behaviour
in wp-config if they're aware of the tradeoffs.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21022#comment:26>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list