[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Fri Oct 20 13:24:41 UTC 2017 

#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
Component:  Security                             |  Release
 Severity:  normal                               |     Version:  3.4
 Keywords:  2nd-opinion has-patch needs-testing  |  Resolution:
  4.9-early                                      |     Focuses:
-------------------------------------------------+-------------------------

Comment (by my1xt):

 @tomdxw I fully agree to this. in case of a downgrade you can just forget
 the password and set a new one (and you shouldnt use a "personal" password
 for an installation that has ugly hashes anyway.

 but that this now is an official CVE is nice to see.

 but a question I posted still stands.

 How many of the super-outdated PHP versions are on a recent wordpress
 installation? are there stats for that?

 because only those are in the scope of this anyway.

 and even then on a later version of WP like 5.0 PHP <5.3.7 could be axed.
 also since the older versions apparently still get patched for quite a
 while, I mean even 3.7 still got an update in September and 3.7 as a whole
 is almost 4 years old.

 PHP 5.2 is as already said already EOL for over 6 years an 9 months and if
 4.9 which is sceduled to be on nov 14 would be the last 4.x release and
 contained MD5 hashes, and it would also get about 4 years of patches
 PHP5.2 would be EOL since 10 years and 10 months from that hypothetical
 End of WP4.9.

 so while it would be sad to see MD5 in 4.9  it would make sense to enter
 at least a transition with what @tomdxw said and in 5.0 ax it completely.

 while I am not a fan of axing down old versions for mundane reasons, this
 is a pretty important security thing and really slowing down WP in this
 aspect.

 but when we add password_hash, I would love to have a setting about the
 parameters (using argon2 in PHP7.2, or just changing the cost depending on
 what you like)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:92>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list